Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 11:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4db0e1a6a1b4a0da143de18db0824eaef6f28386dd95578356da9838b7b25525.dll
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
General
-
Target
4db0e1a6a1b4a0da143de18db0824eaef6f28386dd95578356da9838b7b25525.dll
-
Size
156KB
-
MD5
0994a9a67fb9c156078f2232c35c98f4
-
SHA1
8ff14dc8dda768e242f74ba395496e671554a6ee
-
SHA256
4db0e1a6a1b4a0da143de18db0824eaef6f28386dd95578356da9838b7b25525
-
SHA512
d9c6b433ae4c5b249c30240e67cbbdb244fc38f7b636018f99a3240e9d33503cc5b5f0089c84e2aa5005a0b10b230f3f23d4ea0769b477b95992cf862bb37cf0
-
SSDEEP
3072:ln4cV8gf2u41Z5tKlw6XZufRdL+eONORnKW12hB7:B4y8gOl2puiORnj12hB7
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 3020 rundll32mgr.exe 3008 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2972 rundll32.exe 2972 rundll32.exe 3020 rundll32mgr.exe 3020 rundll32mgr.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/3020-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3008-26-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3008-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3008-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3008-61-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3008-67-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3008-600-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\INLAUNCH.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEES.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libgain_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\NBMapTIP.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\extensibility.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\Common Files\System\wab32.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdatl3.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\sbdrop.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\authplay.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipres.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSSOAPR3.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgaussianblur_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\net.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpClient.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsBase.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdcp_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\server\jvm.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libtcp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\nss3.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\vcruntime140.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\JSProfilerCore.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 3008 WaterMark.exe 3008 WaterMark.exe 3008 WaterMark.exe 3008 WaterMark.exe 3008 WaterMark.exe 3008 WaterMark.exe 3008 WaterMark.exe 3008 WaterMark.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3008 WaterMark.exe Token: SeDebugPrivilege 2544 svchost.exe Token: SeDebugPrivilege 3008 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2972 2328 rundll32.exe 31 PID 2328 wrote to memory of 2972 2328 rundll32.exe 31 PID 2328 wrote to memory of 2972 2328 rundll32.exe 31 PID 2328 wrote to memory of 2972 2328 rundll32.exe 31 PID 2328 wrote to memory of 2972 2328 rundll32.exe 31 PID 2328 wrote to memory of 2972 2328 rundll32.exe 31 PID 2328 wrote to memory of 2972 2328 rundll32.exe 31 PID 2972 wrote to memory of 3020 2972 rundll32.exe 32 PID 2972 wrote to memory of 3020 2972 rundll32.exe 32 PID 2972 wrote to memory of 3020 2972 rundll32.exe 32 PID 2972 wrote to memory of 3020 2972 rundll32.exe 32 PID 3020 wrote to memory of 3008 3020 rundll32mgr.exe 33 PID 3020 wrote to memory of 3008 3020 rundll32mgr.exe 33 PID 3020 wrote to memory of 3008 3020 rundll32mgr.exe 33 PID 3020 wrote to memory of 3008 3020 rundll32mgr.exe 33 PID 3008 wrote to memory of 2756 3008 WaterMark.exe 34 PID 3008 wrote to memory of 2756 3008 WaterMark.exe 34 PID 3008 wrote to memory of 2756 3008 WaterMark.exe 34 PID 3008 wrote to memory of 2756 3008 WaterMark.exe 34 PID 3008 wrote to memory of 2756 3008 WaterMark.exe 34 PID 3008 wrote to memory of 2756 3008 WaterMark.exe 34 PID 3008 wrote to memory of 2756 3008 WaterMark.exe 34 PID 3008 wrote to memory of 2756 3008 WaterMark.exe 34 PID 3008 wrote to memory of 2756 3008 WaterMark.exe 34 PID 3008 wrote to memory of 2756 3008 WaterMark.exe 34 PID 3008 wrote to memory of 2544 3008 WaterMark.exe 35 PID 3008 wrote to memory of 2544 3008 WaterMark.exe 35 PID 3008 wrote to memory of 2544 3008 WaterMark.exe 35 PID 3008 wrote to memory of 2544 3008 WaterMark.exe 35 PID 3008 wrote to memory of 2544 3008 WaterMark.exe 35 PID 3008 wrote to memory of 2544 3008 WaterMark.exe 35 PID 3008 wrote to memory of 2544 3008 WaterMark.exe 35 PID 3008 wrote to memory of 2544 3008 WaterMark.exe 35 PID 3008 wrote to memory of 2544 3008 WaterMark.exe 35 PID 3008 wrote to memory of 2544 3008 WaterMark.exe 35 PID 2544 wrote to memory of 256 2544 svchost.exe 1 PID 2544 wrote to memory of 256 2544 svchost.exe 1 PID 2544 wrote to memory of 256 2544 svchost.exe 1 PID 2544 wrote to memory of 256 2544 svchost.exe 1 PID 2544 wrote to memory of 256 2544 svchost.exe 1 PID 2544 wrote to memory of 336 2544 svchost.exe 2 PID 2544 wrote to memory of 336 2544 svchost.exe 2 PID 2544 wrote to memory of 336 2544 svchost.exe 2 PID 2544 wrote to memory of 336 2544 svchost.exe 2 PID 2544 wrote to memory of 336 2544 svchost.exe 2 PID 2544 wrote to memory of 384 2544 svchost.exe 3 PID 2544 wrote to memory of 384 2544 svchost.exe 3 PID 2544 wrote to memory of 384 2544 svchost.exe 3 PID 2544 wrote to memory of 384 2544 svchost.exe 3 PID 2544 wrote to memory of 384 2544 svchost.exe 3 PID 2544 wrote to memory of 396 2544 svchost.exe 4 PID 2544 wrote to memory of 396 2544 svchost.exe 4 PID 2544 wrote to memory of 396 2544 svchost.exe 4 PID 2544 wrote to memory of 396 2544 svchost.exe 4 PID 2544 wrote to memory of 396 2544 svchost.exe 4 PID 2544 wrote to memory of 432 2544 svchost.exe 5 PID 2544 wrote to memory of 432 2544 svchost.exe 5 PID 2544 wrote to memory of 432 2544 svchost.exe 5 PID 2544 wrote to memory of 432 2544 svchost.exe 5 PID 2544 wrote to memory of 432 2544 svchost.exe 5 PID 2544 wrote to memory of 476 2544 svchost.exe 6 PID 2544 wrote to memory of 476 2544 svchost.exe 6 PID 2544 wrote to memory of 476 2544 svchost.exe 6 PID 2544 wrote to memory of 476 2544 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1080
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1616
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:760
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1172
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:836
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:3048
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:268
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:108
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:688
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1108
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:624
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1844
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2744
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4db0e1a6a1b4a0da143de18db0824eaef6f28386dd95578356da9838b7b25525.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4db0e1a6a1b4a0da143de18db0824eaef6f28386dd95578356da9838b7b25525.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2756
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize144KB
MD5fe60e31df36000c85a72349102aba3e8
SHA13a23be9abbe6cd979602db3d4cc153f0389be863
SHA2561d08f446db69115b52ed56edaeb83f25d67cbfbf7e29209b8dbbfdb6e5a3dcd5
SHA5127caf38e8088bc4e7a4e5c6230691d8b68922242d71e36435ac4cce40e1cbfd1de6561c5af279a2a472b1d78327ca6cfea8900a875b81b4ad939a7dc291225376
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize140KB
MD5c668f36778c646800656f9e80be843ca
SHA18d5b70910abc836ccc995187f0d19cc9d1f83cde
SHA256897d767f0f44324959d01626fafe43d9716f36c543789fb6fcb8bd6c6603610e
SHA51286f9afff0971d39c2b2f3cffb23d680900e3ab6de043523bca09083bd927937645a8170212d190eeef3a6d9ba40f76d327659c11626abaa8f2a1e96a520e3201
-
Filesize
65KB
MD5a9ea94ee4a3bb43d4057823b2072dc54
SHA194ade3c34ec08613daba8a1240586c24f8169794
SHA2567edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789
SHA5120ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5