Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 14:08
Behavioral task
behavioral1
Sample
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
Resource
win10v2004-20241007-en
General
-
Target
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe
-
Size
431KB
-
MD5
4962575a2378d5c72e7a836ea766e2ad
-
SHA1
549964178b12017622d3cbdda6dbfdef0904e7e2
-
SHA256
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
-
SHA512
911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53
-
SSDEEP
12288:JOKJim5EI9tVEw/JF4+D3q2IMbgiDK7mWasB:Jj9tL8ZMEiDfWb
Malware Config
Extracted
amadey
5.10
0f3be6
http://185.81.68.147
http://185.81.68.148
-
install_dir
ee29ea508b
-
install_file
Gxtuum.exe
-
strings_key
d3a5912ea69ad34a2387af70c8be9e21
-
url_paths
/7vhfjke3/index.php
/8Fvu5jh4DbS/index.php
Extracted
redline
eewx
185.81.68.147:1912
Signatures
-
Amadey family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000500000001975a-49.dat family_redline behavioral1/memory/3048-64-0x0000000000D00000-0x0000000000D52000-memory.dmp family_redline -
Redline family
-
Blocklisted process makes network request 12 IoCs
flow pid Process 8 2600 rundll32.exe 9 2600 rundll32.exe 12 2244 rundll32.exe 13 2244 rundll32.exe 16 2656 rundll32.exe 18 884 rundll32.exe 19 2656 rundll32.exe 20 884 rundll32.exe 23 2916 rundll32.exe 24 2932 rundll32.exe 25 2916 rundll32.exe 26 2932 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 2856 Gxtuum.exe 3048 ssg.exe 2328 update.exe -
Loads dropped DLL 36 IoCs
pid Process 2388 eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe 2616 rundll32.exe 2616 rundll32.exe 2616 rundll32.exe 2616 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2856 Gxtuum.exe 2856 Gxtuum.exe 2856 Gxtuum.exe 2424 rundll32.exe 2424 rundll32.exe 2424 rundll32.exe 2424 rundll32.exe 2244 rundll32.exe 2244 rundll32.exe 2244 rundll32.exe 2244 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 2656 rundll32.exe 884 rundll32.exe 884 rundll32.exe 884 rundll32.exe 884 rundll32.exe 2932 rundll32.exe 2932 rundll32.exe 2932 rundll32.exe 2932 rundll32.exe 2916 rundll32.exe 2916 rundll32.exe 2916 rundll32.exe 2916 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\B2735E747A0869161091\\B2735E747A0869161091.exe" update.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Gxtuum.job eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe -
pid Process 1584 powershell.exe 1644 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ssg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gxtuum.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 2304 netsh.exe 2480 netsh.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 2600 rundll32.exe 1584 powershell.exe 2328 update.exe 2244 rundll32.exe 2244 rundll32.exe 2244 rundll32.exe 2244 rundll32.exe 2244 rundll32.exe 2244 rundll32.exe 1644 powershell.exe 3048 ssg.exe 2328 update.exe 2328 update.exe 2328 update.exe 2328 update.exe 2328 update.exe 2328 update.exe 2328 update.exe 2328 update.exe 2328 update.exe 2328 update.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1584 powershell.exe Token: SeIncreaseQuotaPrivilege 2328 update.exe Token: SeSecurityPrivilege 2328 update.exe Token: SeTakeOwnershipPrivilege 2328 update.exe Token: SeLoadDriverPrivilege 2328 update.exe Token: SeSystemProfilePrivilege 2328 update.exe Token: SeSystemtimePrivilege 2328 update.exe Token: SeProfSingleProcessPrivilege 2328 update.exe Token: SeIncBasePriorityPrivilege 2328 update.exe Token: SeCreatePagefilePrivilege 2328 update.exe Token: SeBackupPrivilege 2328 update.exe Token: SeRestorePrivilege 2328 update.exe Token: SeShutdownPrivilege 2328 update.exe Token: SeDebugPrivilege 2328 update.exe Token: SeSystemEnvironmentPrivilege 2328 update.exe Token: SeRemoteShutdownPrivilege 2328 update.exe Token: SeUndockPrivilege 2328 update.exe Token: SeManageVolumePrivilege 2328 update.exe Token: 33 2328 update.exe Token: 34 2328 update.exe Token: 35 2328 update.exe Token: SeDebugPrivilege 1644 powershell.exe Token: SeDebugPrivilege 3048 ssg.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2388 eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2856 2388 eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe 29 PID 2388 wrote to memory of 2856 2388 eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe 29 PID 2388 wrote to memory of 2856 2388 eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe 29 PID 2388 wrote to memory of 2856 2388 eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe 29 PID 2856 wrote to memory of 2616 2856 Gxtuum.exe 31 PID 2856 wrote to memory of 2616 2856 Gxtuum.exe 31 PID 2856 wrote to memory of 2616 2856 Gxtuum.exe 31 PID 2856 wrote to memory of 2616 2856 Gxtuum.exe 31 PID 2856 wrote to memory of 2616 2856 Gxtuum.exe 31 PID 2856 wrote to memory of 2616 2856 Gxtuum.exe 31 PID 2856 wrote to memory of 2616 2856 Gxtuum.exe 31 PID 2616 wrote to memory of 2600 2616 rundll32.exe 32 PID 2616 wrote to memory of 2600 2616 rundll32.exe 32 PID 2616 wrote to memory of 2600 2616 rundll32.exe 32 PID 2616 wrote to memory of 2600 2616 rundll32.exe 32 PID 2600 wrote to memory of 2304 2600 rundll32.exe 33 PID 2600 wrote to memory of 2304 2600 rundll32.exe 33 PID 2600 wrote to memory of 2304 2600 rundll32.exe 33 PID 2600 wrote to memory of 1584 2600 rundll32.exe 35 PID 2600 wrote to memory of 1584 2600 rundll32.exe 35 PID 2600 wrote to memory of 1584 2600 rundll32.exe 35 PID 2856 wrote to memory of 3048 2856 Gxtuum.exe 37 PID 2856 wrote to memory of 3048 2856 Gxtuum.exe 37 PID 2856 wrote to memory of 3048 2856 Gxtuum.exe 37 PID 2856 wrote to memory of 3048 2856 Gxtuum.exe 37 PID 2856 wrote to memory of 2328 2856 Gxtuum.exe 38 PID 2856 wrote to memory of 2328 2856 Gxtuum.exe 38 PID 2856 wrote to memory of 2328 2856 Gxtuum.exe 38 PID 2856 wrote to memory of 2328 2856 Gxtuum.exe 38 PID 2856 wrote to memory of 2424 2856 Gxtuum.exe 39 PID 2856 wrote to memory of 2424 2856 Gxtuum.exe 39 PID 2856 wrote to memory of 2424 2856 Gxtuum.exe 39 PID 2856 wrote to memory of 2424 2856 Gxtuum.exe 39 PID 2856 wrote to memory of 2424 2856 Gxtuum.exe 39 PID 2856 wrote to memory of 2424 2856 Gxtuum.exe 39 PID 2856 wrote to memory of 2424 2856 Gxtuum.exe 39 PID 2424 wrote to memory of 2244 2424 rundll32.exe 40 PID 2424 wrote to memory of 2244 2424 rundll32.exe 40 PID 2424 wrote to memory of 2244 2424 rundll32.exe 40 PID 2424 wrote to memory of 2244 2424 rundll32.exe 40 PID 2244 wrote to memory of 2480 2244 rundll32.exe 41 PID 2244 wrote to memory of 2480 2244 rundll32.exe 41 PID 2244 wrote to memory of 2480 2244 rundll32.exe 41 PID 2244 wrote to memory of 1644 2244 rundll32.exe 44 PID 2244 wrote to memory of 1644 2244 rundll32.exe 44 PID 2244 wrote to memory of 1644 2244 rundll32.exe 44 PID 2856 wrote to memory of 2656 2856 Gxtuum.exe 46 PID 2856 wrote to memory of 2656 2856 Gxtuum.exe 46 PID 2856 wrote to memory of 2656 2856 Gxtuum.exe 46 PID 2856 wrote to memory of 2656 2856 Gxtuum.exe 46 PID 2856 wrote to memory of 2656 2856 Gxtuum.exe 46 PID 2856 wrote to memory of 2656 2856 Gxtuum.exe 46 PID 2856 wrote to memory of 2656 2856 Gxtuum.exe 46 PID 2856 wrote to memory of 884 2856 Gxtuum.exe 47 PID 2856 wrote to memory of 884 2856 Gxtuum.exe 47 PID 2856 wrote to memory of 884 2856 Gxtuum.exe 47 PID 2856 wrote to memory of 884 2856 Gxtuum.exe 47 PID 2856 wrote to memory of 884 2856 Gxtuum.exe 47 PID 2856 wrote to memory of 884 2856 Gxtuum.exe 47 PID 2856 wrote to memory of 884 2856 Gxtuum.exe 47 PID 2856 wrote to memory of 2932 2856 Gxtuum.exe 49 PID 2856 wrote to memory of 2932 2856 Gxtuum.exe 49 PID 2856 wrote to memory of 2932 2856 Gxtuum.exe 49 PID 2856 wrote to memory of 2932 2856 Gxtuum.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe"C:\Users\Admin\AppData\Local\Temp\eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\692679935401_Desktop.zip' -CompressionLevel Optimal5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe"C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe"C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:2480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\692679935401_Desktop.zip' -CompressionLevel Optimal5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2656
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:884
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2916
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300KB
MD57b6730ca4da283a35c41b831b9567f15
SHA192ef2fd33f713d72207209ec65f0de6eef395af5
SHA25694d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c
SHA512ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace
-
Filesize
302KB
MD52682786590a361f965fb7e07170ebe2b
SHA157c2c049997bfebb5fae9d99745941e192e71df1
SHA25650dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d
SHA5129b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd
-
Filesize
76KB
MD5277e3537804d6b11425d6630ff2dca51
SHA1d3ec2ee9146c5cabcb03dddf6ccd3cffcc73a3d7
SHA256857a8f5771dea9fc9c484d7711aa8289b5dfc817e2320b489ccbdfe765f3e1ad
SHA512ef1072826ec95c35f6025a7eca63b7a3e4603b4fb9d10e34128aa3144c867fd845e21ef469b61a357bd8cccaa881b3ab572ca1bf5416fec031d56752fec3cac6
-
Filesize
13KB
MD522ad5a662c0e4e050741369296c1d688
SHA13a0e2c207f4475a5be3d8a0fbdd301b515a6d4ab
SHA256273d19b7c51feac97c30ccdc7453870c1896e3c0ab9b2785f6b2ab899c47ffea
SHA51269dc87ebcabe9207a87bda20955b47ac2a2a4c9e6ae0bb1fdbb79c67ff8bfcd6a2f125336337f7d9a06e6b40f16d5dec5fd07895f7be643fc561c3b791765754
-
Filesize
124KB
MD5c2f3fbbbe6d5f48a71b6b168b1485866
SHA11cd56cfc2dc07880b65bd8a1f5b7147633f5d553
SHA256c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839
SHA512e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a
-
Filesize
1.2MB
MD5c6aabb27450f1a9939a417e86bf53217
SHA1b8ef3bb7575139fd6997379415d7119e452b5fc4
SHA256b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35
SHA512e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51218086e4af1d5728ae5fb7d1cc64297
SHA19e375ddc0987a1967526abf768d07e97b4d8f396
SHA256adbdc8ec6a46184022b66a059071b8020111c9c14f6aa4d4b72a94cb1074e07a
SHA5125a7c0808f98e393d516cc11f730271649687e980b0bac7991e5f38c3cf39762a9421937fa1cef98b75bdf11c401d2ee9b72627899f0d4e1544d4b07e1b1d16ce
-
Filesize
431KB
MD54962575a2378d5c72e7a836ea766e2ad
SHA1549964178b12017622d3cbdda6dbfdef0904e7e2
SHA256eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676
SHA512911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53