Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 21:41
Static task
static1
Behavioral task
behavioral1
Sample
44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe
Resource
win7-20240903-en
General
-
Target
44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe
-
Size
7.1MB
-
MD5
774542c18369a36cbb4281782fded87f
-
SHA1
45292130f77e484bbaab72792890d9f61419bf82
-
SHA256
44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1
-
SHA512
693701ecd1a90887ce6b90827dcffdabb93f1594622e65bfcb9c8cc3642ca27dd82a4e43d95ee7150076d0dcfcb727edfdda1b85cb078230e02f1b5f14e9cf78
-
SSDEEP
98304:gGOSnfbzz2d463IROME9bCOspSizzAukSFdhkq/Bc7iJc8Id59OLtk+e:CSj3C4GIIdCOs2hSFdhJ/aemHdIk
Malware Config
Signatures
-
Detect Neshta payload 4 IoCs
resource yara_rule behavioral2/files/0x000a000000023b68-14.dat family_neshta behavioral2/memory/4644-130-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4644-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/4644-150-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Xmrig family
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral2/memory/2448-139-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2448-138-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2448-145-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2448-146-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2448-143-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2448-144-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2448-142-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2448-151-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral2/memory/2448-152-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation SpyNote.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvm.exe dvm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dvm.exe dvm.exe -
Executes dropped EXE 4 IoCs
pid Process 1364 dvm.exe 4644 SpyNote.exe 4880 SpyNote.exe 4316 tempfile -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" SpyNote.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 19 pastebin.com 22 pastebin.com -
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 1888 powercfg.exe 4544 powercfg.exe 852 powercfg.exe 2760 powercfg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4316 set thread context of 2448 4316 tempfile 97 -
resource yara_rule behavioral2/memory/2448-133-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-137-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-136-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-139-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-138-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-135-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-134-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-145-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-146-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-143-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-144-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-142-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-151-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral2/memory/2448-152-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe SpyNote.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe SpyNote.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe SpyNote.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe SpyNote.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe SpyNote.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe SpyNote.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe SpyNote.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE SpyNote.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe SpyNote.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe SpyNote.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE SpyNote.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe SpyNote.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE SpyNote.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE SpyNote.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE SpyNote.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE SpyNote.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe SpyNote.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe SpyNote.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE SpyNote.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE SpyNote.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe SpyNote.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com SpyNote.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3712 4880 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpyNote.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpyNote.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" SpyNote.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4316 tempfile 4316 tempfile 4316 tempfile 4316 tempfile 4316 tempfile 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe 2448 explorer.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeLockMemoryPrivilege 2448 explorer.exe Token: SeLockMemoryPrivilege 2448 explorer.exe Token: SeShutdownPrivilege 1888 powercfg.exe Token: SeCreatePagefilePrivilege 1888 powercfg.exe Token: SeShutdownPrivilege 4544 powercfg.exe Token: SeCreatePagefilePrivilege 4544 powercfg.exe Token: SeShutdownPrivilege 852 powercfg.exe Token: SeCreatePagefilePrivilege 852 powercfg.exe Token: SeShutdownPrivilege 2760 powercfg.exe Token: SeCreatePagefilePrivilege 2760 powercfg.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3028 wrote to memory of 1364 3028 44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe 84 PID 3028 wrote to memory of 1364 3028 44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe 84 PID 3028 wrote to memory of 4644 3028 44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe 86 PID 3028 wrote to memory of 4644 3028 44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe 86 PID 3028 wrote to memory of 4644 3028 44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe 86 PID 4644 wrote to memory of 4880 4644 SpyNote.exe 87 PID 4644 wrote to memory of 4880 4644 SpyNote.exe 87 PID 4644 wrote to memory of 4880 4644 SpyNote.exe 87 PID 1364 wrote to memory of 4316 1364 dvm.exe 88 PID 1364 wrote to memory of 4316 1364 dvm.exe 88 PID 4316 wrote to memory of 2448 4316 tempfile 97 PID 4316 wrote to memory of 2448 4316 tempfile 97 PID 4316 wrote to memory of 2448 4316 tempfile 97 PID 4316 wrote to memory of 2448 4316 tempfile 97 PID 4316 wrote to memory of 2448 4316 tempfile 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe"C:\Users\Admin\AppData\Local\Temp\44c07ad4e0559d0f4c9884b8665243eef2772f2990328a82a2c40559ff88dea1.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\dvm.exe"C:\Users\Admin\AppData\Local\Temp\dvm.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\tempfile"C:\Users\Admin\AppData\Local\Temp\tempfile"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4544
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SpyNote.exe"C:\Users\Admin\AppData\Local\Temp\SpyNote.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\3582-490\SpyNote.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\SpyNote.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 10764⤵
- Program crash
PID:3712
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4880 -ip 48801⤵PID:4600
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Change Default File Association
1Power Settings
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD501f79dab4df97b5571684298b663e4dd
SHA1f9610961b141da9ac181ff4ed6fbe86fecee54f4
SHA25664fe3f3104b628744ed9a6c6b8e6d780a310d9c2c7d5b9e13824bdfa17a25b8d
SHA512b27ecdcf29d60feb25c6fa852fc214b0a742f07e63316185c987126282d114bd118259c421ad4938b16975108a317e9816fe457339fb030e8e6b9bf307d53b5f
-
Filesize
461KB
MD5f0a348ebcfaccc589f4baf152dc6b3a6
SHA13952d9ba4404ec4e7732256b4d7c6abef0eb5643
SHA2564dcaaf2ad32e6b01158a2c152f9aa457fb49ff1a99454ddc940448b24d8d81f1
SHA5123c06151c98a3de3b10439176663a41b6816c75ac6600adb635e86051e8560a917061b28943a086ceb83fbbcf76b1416a9d19974b218ca340873160941ec25325
-
Filesize
6.6MB
MD55dfae2b96d8bc6790c29ec2ac85afe99
SHA1db05a87beb16572c793142c9bc5e42e8cc37b063
SHA256dfcfdb44cd6a19ca1a215dedd9b90962141d31369867983345e6550d2d750996
SHA51288ca9fecbab0dad5fef042156e28523cd064227a68ef581843377dbc9af04883a39b970b5ffe5985c972df99e8e96c4b08f98c426c469764d666c8955c688b55
-
Filesize
2.5MB
MD500fc60282e801348211f9fad3d15f7ce
SHA18a4f8cb033ec7ccdbe2dcabf8c0883ee3c664b4c
SHA25601861308d403364e53c1d18857a0e37025689517b4f5fafefd78f6a339c68813
SHA512820e51518457b909aa527cc07746e612fea1c0b0a639837f8bcd7df53ee1a64ffda1c10092586129184433f6ea89d3ee3eab5a9938e80098e0776526097c9065
-
Filesize
6.6MB
MD53c4751f7fc9bde4d9f0e753eeccc28c7
SHA1aff077afcc5a6366ee00b07ae5aeeec88ced63eb
SHA256c5040ca0cfd26c29eb64dffecf91e28c47f5b31e79094fe3c4a5621614f5c501
SHA512ba3845c97856de3d2805fdbea22713b710b13967ff2c1397d7a353f24c604bba12262670d5514943b9a6896f5ebe887201e5686f34a27570d6dbf031e06ef3b4