Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 21:51
Behavioral task
behavioral1
Sample
f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
Resource
win7-20240903-en
General
-
Target
f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
-
Size
1.5MB
-
MD5
a3007093692d237b7c65f833bddf18d5
-
SHA1
f7c2841e1a51c7329d673e956f01b04d83db0eaf
-
SHA256
f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1
-
SHA512
1c3acd7a7495a1358951bf704dbfa19d38258adca20954f83e0352d109ed0a518c25864201e0b9283133c3f8bfca6e78e586180836b49bfbcb63307cf7381115
-
SSDEEP
24576:7i2Tro2H2HESq2eWJ6MQjySjylCnsJ39LyjbJkQFMhmC+6GD9QzF1lU6A:7xTc2H2tFvduySQCnsHyjtk2MYC5GDmY
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
resource yara_rule behavioral1/memory/2252-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2252-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2252-22-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2324-56-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2324-59-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2324-61-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral1/memory/2252-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2252-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2252-22-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2324-56-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2324-59-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2324-61-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Xred family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 7 IoCs
pid Process 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 2252 RVN.exe 2240 TXPlatforn.exe 2324 TXPlatforn.exe 2752 ._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 2772 Synaptics.exe 864 ._cache_Synaptics.exe -
Loads dropped DLL 11 IoCs
pid Process 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 2240 TXPlatforn.exe 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 2772 Synaptics.exe 2772 Synaptics.exe 2772 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
resource yara_rule behavioral1/memory/2252-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2252-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2252-22-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2252-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2324-56-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2324-59-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2324-61-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RVN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatforn.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2012 cmd.exe 2620 PING.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2620 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2084 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2324 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2252 RVN.exe Token: SeLoadDriverPrivilege 2324 TXPlatforn.exe Token: 33 2324 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2324 TXPlatforn.exe Token: 33 2324 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2324 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 2084 EXCEL.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1856 wrote to memory of 2252 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 30 PID 1856 wrote to memory of 2252 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 30 PID 1856 wrote to memory of 2252 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 30 PID 1856 wrote to memory of 2252 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 30 PID 1856 wrote to memory of 2252 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 30 PID 1856 wrote to memory of 2252 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 30 PID 1856 wrote to memory of 2252 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 30 PID 1856 wrote to memory of 2424 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 31 PID 1856 wrote to memory of 2424 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 31 PID 1856 wrote to memory of 2424 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 31 PID 1856 wrote to memory of 2424 1856 f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 31 PID 2252 wrote to memory of 2012 2252 RVN.exe 33 PID 2252 wrote to memory of 2012 2252 RVN.exe 33 PID 2252 wrote to memory of 2012 2252 RVN.exe 33 PID 2252 wrote to memory of 2012 2252 RVN.exe 33 PID 2240 wrote to memory of 2324 2240 TXPlatforn.exe 34 PID 2240 wrote to memory of 2324 2240 TXPlatforn.exe 34 PID 2240 wrote to memory of 2324 2240 TXPlatforn.exe 34 PID 2240 wrote to memory of 2324 2240 TXPlatforn.exe 34 PID 2240 wrote to memory of 2324 2240 TXPlatforn.exe 34 PID 2240 wrote to memory of 2324 2240 TXPlatforn.exe 34 PID 2240 wrote to memory of 2324 2240 TXPlatforn.exe 34 PID 2424 wrote to memory of 2752 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 36 PID 2424 wrote to memory of 2752 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 36 PID 2424 wrote to memory of 2752 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 36 PID 2424 wrote to memory of 2752 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 36 PID 2424 wrote to memory of 2772 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 38 PID 2424 wrote to memory of 2772 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 38 PID 2424 wrote to memory of 2772 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 38 PID 2424 wrote to memory of 2772 2424 HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe 38 PID 2012 wrote to memory of 2620 2012 cmd.exe 39 PID 2012 wrote to memory of 2620 2012 cmd.exe 39 PID 2012 wrote to memory of 2620 2012 cmd.exe 39 PID 2012 wrote to memory of 2620 2012 cmd.exe 39 PID 2772 wrote to memory of 864 2772 Synaptics.exe 41 PID 2772 wrote to memory of 864 2772 Synaptics.exe 41 PID 2772 wrote to memory of 864 2772 Synaptics.exe 41 PID 2772 wrote to memory of 864 2772 Synaptics.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe"C:\Users\Admin\AppData\Local\Temp\f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2620
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exeC:\Users\Admin\AppData\Local\Temp\HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe"C:\Users\Admin\AppData\Local\Temp\._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe"3⤵
- Executes dropped EXE
PID:2752
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:864
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2084
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5869176b72c884c0fb2c7c2096cbe81f0
SHA1a58ed2f14624003f2c90dabca0613788f6f42626
SHA25658d9729b2c830b10c6b97ac0d1fe4839d3c09c5ce1e50b93198c1522b7c7dc8b
SHA5124dec08bb5139374bdf87725c84ef451860820a0b3706173cc3b47479acab3a6b3d89b3ceb5fb089f3472ceae7f6806c183b00fe7a70248f2b0209e635b22d76b
-
Filesize
21KB
MD572ce4fc280e6b6515779f73083331102
SHA144026359db9d03e6db4bc10c98bb542882f5cf4a
SHA25615885bf67f95645e5af58eaf23c1b731699c14db3594fb324362b9b1ea5e5841
SHA512e3a90817364309da743734d602911cc871a54d7fcd27ce931e5eb7dc02b313ff2bbee0e4e0d35305e98ec6b0e99f7b4494197c6717b0996cada01bc97391584c
-
Filesize
25KB
MD502ae29eb25fa3148884ca1191e4bfb34
SHA1fc090d73afedb2a26e4d2736f870dc64fd8f1da9
SHA25656b67eba681465bb28d9ba946d89617ca0eccc550206c360ced2a8d2a31034da
SHA51266897b2c059f485c68cce50068fa37d03c5aa1b33467a3a0054440c67cff61207aea719a8219f330c62be7043d4736ed4098c5442910f06f624ff34dc969378f
-
Filesize
23KB
MD53bc893a707e062765329bac89edb29ba
SHA19cd03213882d4266dc8d028fe25859d52dc13bd5
SHA256dc6172f91a7f33355bfb6fd1d7df9d12deee905ac9ce17d0e5d14864d3fa23b8
SHA512dc38fd6abddb6ed387f3bd117f8f5248a1e80d315f736bfd0f485223e8a436585f2c9dc9e3083ad390813803a8572e0d57052e8e7b7e64b3aeda359dcda6bc4e
-
Filesize
26KB
MD5bfb54f88a42c3ba17c73d660261b3c38
SHA1acd7f31cf61559a319f08740781392a7ba275755
SHA256369951d76de17bd1a116f94003c358948a126bd8c669b9068e9d057797b66a5e
SHA512d238c3ca29bbfd5bf03824313228a84aa765cdfa61b0eb33ddfd1de1e097c575dd180b65e3b6b5f46d4f9a84208b0d676b50af7934b2bc5d2bdff614615ceaae
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
576KB
MD562fac9ef099447024ed09c067fdd1b80
SHA1cd1dfc25ef79de7a0afd47d8e37fd5eba6082dcf
SHA2562b2975b8e2903a9e180241773e84979d1c85aacd269c2805495bf544cfe188af
SHA5129661c42bf688de8bdad615cf270ae55869b543b63afdc883a4b3e6c0a20325d11c3da7de3bd4483428a9a733cfe97d45cc122b87f2f70c71d51794c5388f804a
-
C:\Users\Admin\AppData\Local\Temp\HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
Filesize924KB
MD5fc69db50ed849673c9bf40e214cbb6e4
SHA1a04ac9871d08e8a0ed6b79f78fc0d6eae609ee11
SHA25629ae1062e2b89180992283737193e0793df2feda365f8ba59a7037d4f13f1563
SHA512de8039e86738ea8d189dc25b2a9256691a31cbe0c56f50e34bafa7ac0fb339369ded2eeeee53497d6f3d03510cb4f11a917e6b3af7962eced969ed4f524a3c42
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882
-
\Users\Admin\AppData\Local\Temp\._cache_HD_f3f7199ba9ae45e662bed0b593057355aeb5b604817599ee33b70f261ce926c1.exe
Filesize170KB
MD565aa3807b36baa10d03a373eb33d7879
SHA1badfb2b05a202805fdd884e1a4560d7c4c624998
SHA256dbf5530ba4bb1b78336a70c5697dce50627263626ce9d3df11e89aa6ffbea737
SHA5128081c0c2053b33eab6a0eb7bbdf187c00b6ab7b5c5e675d741a565b29aaed12f54d8ab52fe94c6ea2a8add27697f65af92b9f3e0dbd67c2b7737f197b44c958a
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
Filesize
1.4MB
MD58d5ed30bedd5a7888ced3c1edc38cabd
SHA1bccb09ff05893bd44a465b52e6c0faf3bbcfa5b0
SHA25678e23d78c122f0702a1f64c5b7f618d661ec81af5ad43151a91109b8e1eb4948
SHA512d858870ad72a40b54bdc841e2ffa385cc5511b3d06f5153fd22e38372ed922198c3e095b0938efa10c7706157212d01e087837f63c34198018dfeb8dad341195