Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 19:26
Behavioral task
behavioral1
Sample
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
Resource
win10v2004-20240802-en
General
-
Target
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
-
Size
547KB
-
MD5
7c9c30680dd2f61cd7f5a93527cd2200
-
SHA1
2f1121e93475e3dba2d25ed10fc8fd1ae3d2e982
-
SHA256
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83
-
SHA512
dd233d82e64c9be1e89d6d6670e0d10e411a82d27205010e98a1a070e01a2a392c1d903749474319bb3a59bc57f0bcf4e829128de5226f51182ef4b962eb819e
-
SSDEEP
6144:UvEN2U+T6i5LirrllHy4HUcMQY6Fn5wnb+gWxb3:GENN+T5xYrllrU7QY6Nb3
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.lamela.si - Port:
587 - Username:
[email protected] - Password:
2014viks5961lamela - Email To:
[email protected]
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Executes dropped EXE 6 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 3460 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 996 icsys.icn.exe 4392 explorer.exe 2996 spoolsv.exe 2504 svchost.exe 2728 spoolsv.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exeexplorer.exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2460 3460 WerFault.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe explorer.exesvchost.exespoolsv.exeat.exe295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exeicsys.icn.exespoolsv.exeat.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe icsys.icn.exeexplorer.exesvchost.exepid process 3460 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 996 icsys.icn.exe 996 icsys.icn.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 4392 explorer.exe 2504 svchost.exe 2504 svchost.exe 2504 svchost.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe 2504 svchost.exe 4392 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 4392 explorer.exe 2504 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription pid process Token: SeDebugPrivilege 3460 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1648 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 1648 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 996 icsys.icn.exe 996 icsys.icn.exe 4392 explorer.exe 4392 explorer.exe 2996 spoolsv.exe 2996 spoolsv.exe 2504 svchost.exe 2504 svchost.exe 2728 spoolsv.exe 2728 spoolsv.exe 4392 explorer.exe 4392 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1648 wrote to memory of 3460 1648 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 1648 wrote to memory of 3460 1648 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 1648 wrote to memory of 3460 1648 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe PID 1648 wrote to memory of 996 1648 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 1648 wrote to memory of 996 1648 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 1648 wrote to memory of 996 1648 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe icsys.icn.exe PID 996 wrote to memory of 4392 996 icsys.icn.exe explorer.exe PID 996 wrote to memory of 4392 996 icsys.icn.exe explorer.exe PID 996 wrote to memory of 4392 996 icsys.icn.exe explorer.exe PID 4392 wrote to memory of 2996 4392 explorer.exe spoolsv.exe PID 4392 wrote to memory of 2996 4392 explorer.exe spoolsv.exe PID 4392 wrote to memory of 2996 4392 explorer.exe spoolsv.exe PID 2996 wrote to memory of 2504 2996 spoolsv.exe svchost.exe PID 2996 wrote to memory of 2504 2996 spoolsv.exe svchost.exe PID 2996 wrote to memory of 2504 2996 spoolsv.exe svchost.exe PID 2504 wrote to memory of 2728 2504 svchost.exe spoolsv.exe PID 2504 wrote to memory of 2728 2504 svchost.exe spoolsv.exe PID 2504 wrote to memory of 2728 2504 svchost.exe spoolsv.exe PID 2504 wrote to memory of 4816 2504 svchost.exe at.exe PID 2504 wrote to memory of 4816 2504 svchost.exe at.exe PID 2504 wrote to memory of 4816 2504 svchost.exe at.exe PID 2504 wrote to memory of 3204 2504 svchost.exe at.exe PID 2504 wrote to memory of 3204 2504 svchost.exe at.exe PID 2504 wrote to memory of 3204 2504 svchost.exe at.exe -
outlook_office_path 1 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe -
outlook_win_path 1 IoCs
Processes:
295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe"C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exec:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 11283⤵
- Program crash
PID:2460 -
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2728 -
C:\Windows\SysWOW64\at.exeat 19:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\SysWOW64\at.exeat 19:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3460 -ip 34601⤵PID:3812
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe
Filesize272KB
MD5b046211fe3f420a9ceb7663a560ece96
SHA1785a1cff39f2a75cbfffed3d718e9e026b3c80a1
SHA25696134c810750cc56e372551f8070f06aee80ae0cc8eeac983502d6b8f66c77df
SHA5125a0fc701606682de24dfc1b8408b6d7c13205952128b211b9b7ef11a97871f2590d7c705b4032eab6a5661a1295fe4bc8bb58418b68e999e8fdd315009ca7eb3
-
Filesize
274KB
MD51cf16e75b8173523ed0d5ef4211b9f64
SHA111dbca355fc318803987ab9756bd27f3009734ed
SHA25670924977c57603c3f4f891951795650c96343308fff9ca30bff0140409c7d30c
SHA512147a33e14145a0f21edcc53cf21b5300385df2deb484fc6eaafceb7e5704c2ac544e2d7f90f59fc4c4888cdbb1136feadd87b02f8ecb42b5fe4063e551bec83d
-
Filesize
274KB
MD58ec609eeecb8c7d798fdf50084493a03
SHA1084b7023ab8efb4de9bd44c89aac899253bb520e
SHA2567af4a8dac6def5be83f8a838547cf2c29e94dbfc1d745ff05b3e3d6a97997558
SHA5120cffa70f1842092123253ccf7436c7085674c1c809f3436847b11efeb2d22c8c3cb3b5eb3f99cdbc9f9cac40f77eb1d3226619d53b52d3684bf3ca2deba608c8
-
Filesize
274KB
MD53d309066f9e70f752412743b56351401
SHA10c5bcbb6b3bb6c8aafe503ebc0c2358ed22f6423
SHA256a0e80beb15d0e0ffc3872fbb561dd0e440bdce37a19ba19135be8238a9e033e7
SHA5122db9755838f0eba42a7d39f4179e0504120e711a1cf1a2a94abd6f00b381f798c8757cb20baa477d46887714990e209009a32470f6921eee91de5fc030626d53
-
Filesize
274KB
MD52a0748fdf422074ac126c2c8b1ecceb9
SHA1b28fb17f4de8eca6dc1a4d1871ad7131174e73a5
SHA256beca580e5efb098717f01f04eaddbfd74d0fda25f14f26ec37d9d3476f6de587
SHA512254e474a754ba616a9f9371df839b2466a7ed0c98359bb589b4e2b30ebc1c7187ea1df4b1b792bdeabc1f3bfe50188a3b1153b7f5f01e2fed91814d8c88454b8
-
Filesize
274KB
MD5895f34de90e7faf56e5ada7a452e1265
SHA1d5bdc67d892f8c063fbd9764b002e9e2b3915648
SHA256a0e62a205452c93f8bc8c3f638dc1dcc1bf46219974a1c7ff3e8059313f0b061
SHA51259562da3ec1c37359ace5061a10646611e6eab029f66b122ba194352d393e5983d74c6372cc52ca2f03cfdd5a9ded4c725afcccd626e90cf8c863c95a15c67bd