Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/01/2025, 06:45
Behavioral task
behavioral1
Sample
61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
Resource
win7-20240903-en
General
-
Target
61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
-
Size
8.8MB
-
MD5
730bf213d90c18e9bef986876e531811
-
SHA1
ee9ed047072eb38d07e051038a01d31b7f2863a1
-
SHA256
61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8
-
SHA512
797a6a69a0c7b66e5818ff6048bbf4c6db41af29abc05875bddfc93ca822304358fee1d9d656cae0156306a3c33c6bd1baccaf8e517ef2a46ca8a649e4c00735
-
SSDEEP
98304:wws2ANnKXOaeOgmhVCPnsmtk2aX235t9jZcDRH2WeOE4MvKey0GlJJNuZIqPF:mKXbeO7HCfL3uWMkSey0GBNuZLPF
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
resource yara_rule behavioral1/memory/2880-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2880-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2880-20-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2132-26-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2132-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2592-49-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2592-53-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2592-54-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 9 IoCs
resource yara_rule behavioral1/files/0x0008000000016890-6.dat family_gh0strat behavioral1/memory/2880-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2880-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2880-20-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2132-26-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2132-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2592-49-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2592-53-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2592-54-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Xred family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe -
Executes dropped EXE 8 IoCs
pid Process 2676 R.exe 2880 N.exe 2132 TXPlatfor.exe 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 2592 TXPlatfor.exe 664 ._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 2864 Synaptics.exe 1696 ._cache_Synaptics.exe -
Loads dropped DLL 15 IoCs
pid Process 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 2676 R.exe 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 2132 TXPlatfor.exe 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 2864 Synaptics.exe 2864 Synaptics.exe 2864 Synaptics.exe 2864 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe File created C:\Windows\SysWOW64\259475604.txt R.exe -
resource yara_rule behavioral1/memory/2880-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2880-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2132-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2132-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2592-49-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2592-53-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2592-54-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatfor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2648 cmd.exe 324 PING.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 324 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1964 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2592 TXPlatfor.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2880 N.exe Token: SeLoadDriverPrivilege 2592 TXPlatfor.exe Token: 33 2592 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 2592 TXPlatfor.exe Token: 33 2592 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 2592 TXPlatfor.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 1964 EXCEL.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2676 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 30 PID 1728 wrote to memory of 2676 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 30 PID 1728 wrote to memory of 2676 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 30 PID 1728 wrote to memory of 2676 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 30 PID 1728 wrote to memory of 2880 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 31 PID 1728 wrote to memory of 2880 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 31 PID 1728 wrote to memory of 2880 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 31 PID 1728 wrote to memory of 2880 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 31 PID 1728 wrote to memory of 2880 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 31 PID 1728 wrote to memory of 2880 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 31 PID 1728 wrote to memory of 2880 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 31 PID 2880 wrote to memory of 2648 2880 N.exe 33 PID 2880 wrote to memory of 2648 2880 N.exe 33 PID 2880 wrote to memory of 2648 2880 N.exe 33 PID 2880 wrote to memory of 2648 2880 N.exe 33 PID 1728 wrote to memory of 2684 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 35 PID 1728 wrote to memory of 2684 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 35 PID 1728 wrote to memory of 2684 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 35 PID 1728 wrote to memory of 2684 1728 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 35 PID 2132 wrote to memory of 2592 2132 TXPlatfor.exe 36 PID 2132 wrote to memory of 2592 2132 TXPlatfor.exe 36 PID 2132 wrote to memory of 2592 2132 TXPlatfor.exe 36 PID 2132 wrote to memory of 2592 2132 TXPlatfor.exe 36 PID 2132 wrote to memory of 2592 2132 TXPlatfor.exe 36 PID 2132 wrote to memory of 2592 2132 TXPlatfor.exe 36 PID 2132 wrote to memory of 2592 2132 TXPlatfor.exe 36 PID 2648 wrote to memory of 324 2648 cmd.exe 37 PID 2648 wrote to memory of 324 2648 cmd.exe 37 PID 2648 wrote to memory of 324 2648 cmd.exe 37 PID 2648 wrote to memory of 324 2648 cmd.exe 37 PID 2684 wrote to memory of 664 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 38 PID 2684 wrote to memory of 664 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 38 PID 2684 wrote to memory of 664 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 38 PID 2684 wrote to memory of 664 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 38 PID 2684 wrote to memory of 2864 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 41 PID 2684 wrote to memory of 2864 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 41 PID 2684 wrote to memory of 2864 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 41 PID 2684 wrote to memory of 2864 2684 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 41 PID 2864 wrote to memory of 1696 2864 Synaptics.exe 42 PID 2864 wrote to memory of 1696 2864 Synaptics.exe 42 PID 2864 wrote to memory of 1696 2864 Synaptics.exe 42 PID 2864 wrote to memory of 1696 2864 Synaptics.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"C:\Users\Admin\AppData\Local\Temp\61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:324
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exeC:\Users\Admin\AppData\Local\Temp\HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"C:\Users\Admin\AppData\Local\Temp\._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"3⤵
- Executes dropped EXE
PID:664
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
PID:1696
-
-
-
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1964
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
2.4MB
MD5d5f3da928c026382b3f82a06da820223
SHA1cb3b4ff440ac05af54483435f1480627d2470c04
SHA2566836fa86cbb478beeff4bec5ebe44fd709b60d0ad9c363207b2a344c8b5445d1
SHA512006f8ff05e24d5baf4783e5fbd76b99187c7d1654ae28e5f3593908b72cdcfda6249a0c5e2f3c2d8b14d3677f0c8464de644f7231ea46f09a05aece0c2abc6c3
-
\Users\Admin\AppData\Local\Temp\._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
Filesize5.7MB
MD53b0c0331799d69225e1ba24e6cb0dfab
SHA15584f5b9aeff12b32d214d792e373901af71f3a3
SHA256bce1f6f6f6532266837b66d719bfbd177d406d6d7d8d5adfd5e7c59fcde651a5
SHA5122b1305374a734cf34661b4720e38fb9dc91a080d1f53be6092276f8f54041c4acd658b10fd65f5db21ccabee594c0a008727e3aad7d289147dff17a346998573
-
\Users\Admin\AppData\Local\Temp\HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
Filesize6.4MB
MD5699db42d0470ab462d7176e92a188e95
SHA1afa2164839e79dd2dd1d39ab8a0e8183d3d07809
SHA2561ca4c084c7ff06666f9e3c64f5656738245b2f103788ead3d763205c959c875c
SHA5120c6b3bcc94617f2e8bc7c311dfb9004f7d187cdb4818582871e44c5269a7d39535905d6f175fd227d0ad178c93495765c2901a443882fe68e16f8b9c1a04ca1e
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
Filesize
3.0MB
MD5e7d44addd44f883f4f838e7cfa36a3c5
SHA12acca0fd7ebb9db6f56983b85c1b57f4a8011317
SHA2567ff1cdeecaf37a7b50f5e4d6f3eea0d77f2f53aaf005aa5352b09f7490d1f0fd
SHA5122b0a172e2dce3866ef459bd1c2195525559423cbc48f41b7867d44b4d8fb38cd278976b540f431031591e2f3cc94be2abf457aec0bd444bdddc8562d2701488f
-
Filesize
899KB
MD5291f8f2a54894a34ffe56edc5a1f05fd
SHA159c19d92f379115d86d678b67a15c50737c7cba4
SHA256c536ab535eb1ca8331ff32970d4c98c6f64c4eaec4a7fa3bfeb72581194654c4
SHA5123d2252ed49e110bcfe328b57fa272f7bdec3315ec6b64279c9ab2d89c5bf7532131d38ac427c870597eb8bc79c53749390c55b295cda6292768efbf3d4d557d7