Analysis
-
max time kernel
190s -
max time network
216s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 18:51
Static task
static1
Behavioral task
behavioral1
Sample
6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe
Resource
win7-20220414-en
General
-
Target
6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe
-
Size
4.4MB
-
MD5
2d964916b664386abe7561039b62231f
-
SHA1
c72b18c84ffc1cb5a8e9b7a876aa4830bff6e7cc
-
SHA256
6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1
-
SHA512
0c18454815efe42302de19d8c1f35b5e54a3ce2f5359f4bcce4f295f88bb823c61fd31edcc95cc1a78a8f08c3460508aaaefeed880fa5f5d06026900ded0f709
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
Processes:
run.exedata.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exepid process 2704 run.exe 1000 data.exe 2804 rutserv.exe 4184 rutserv.exe 5068 rutserv.exe 2476 rutserv.exe 432 rfusclient.exe 5056 rfusclient.exe 1096 rfusclient.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
data.exeWScript.exe6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation data.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops file in Program Files directory 21 IoCs
Processes:
cmd.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Program Files\RMS\rfusclient.exe cmd.exe File opened for modification C:\Program Files\RMS\russian.lg cmd.exe File created C:\Program Files\RMS\vp8encoder.dll cmd.exe File opened for modification C:\Program Files\RMS\vp8encoder.dll cmd.exe File opened for modification C:\Program Files\RMS\vp8decoder.dll attrib.exe File opened for modification C:\Program Files\RMS\rutserv.exe attrib.exe File opened for modification C:\Program Files\RMS attrib.exe File created C:\Program Files\RMS\russian.lg cmd.exe File opened for modification C:\Program Files\RMS\regedit.reg attrib.exe File opened for modification C:\Program Files\RMS\rfusclient.exe attrib.exe File opened for modification C:\Program Files\RMS\rutserv.exe attrib.exe File opened for modification C:\Program Files\RMS\vp8encoder.dll attrib.exe File created C:\Program Files\RMS\regedit.reg cmd.exe File created C:\Program Files\RMS\rfusclient.exe cmd.exe File opened for modification C:\Program Files\RMS\rutserv.exe cmd.exe File created C:\Program Files\RMS\vp8decoder.dll cmd.exe File opened for modification C:\Program Files\RMS\vp8decoder.dll cmd.exe File opened for modification C:\Program Files\RMS\rfusclient.exe attrib.exe File opened for modification C:\Program Files\RMS\regedit.reg cmd.exe File opened for modification C:\Program Files\RMS\russian.lg attrib.exe File created C:\Program Files\RMS\rutserv.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 4788 timeout.exe 2516 timeout.exe 4728 timeout.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1304 taskkill.exe 392 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exedata.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings data.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 3448 regedit.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exepid process 2804 rutserv.exe 2804 rutserv.exe 2804 rutserv.exe 2804 rutserv.exe 2804 rutserv.exe 2804 rutserv.exe 4184 rutserv.exe 4184 rutserv.exe 5068 rutserv.exe 5068 rutserv.exe 2476 rutserv.exe 2476 rutserv.exe 2476 rutserv.exe 2476 rutserv.exe 2476 rutserv.exe 2476 rutserv.exe 432 rfusclient.exe 432 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
taskkill.exetaskkill.exerutserv.exerutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 392 taskkill.exe Token: SeDebugPrivilege 1304 taskkill.exe Token: SeDebugPrivilege 2804 rutserv.exe Token: SeDebugPrivilege 5068 rutserv.exe Token: SeTakeOwnershipPrivilege 2476 rutserv.exe Token: SeTcbPrivilege 2476 rutserv.exe Token: SeTcbPrivilege 2476 rutserv.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exepid process 2804 rutserv.exe 4184 rutserv.exe 5068 rutserv.exe 2476 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exeWScript.exerun.execmd.execmd.exedata.exeWScript.execmd.exedescription pid process target process PID 4956 wrote to memory of 1768 4956 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe WScript.exe PID 4956 wrote to memory of 1768 4956 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe WScript.exe PID 4956 wrote to memory of 1768 4956 6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe WScript.exe PID 1768 wrote to memory of 2704 1768 WScript.exe run.exe PID 1768 wrote to memory of 2704 1768 WScript.exe run.exe PID 1768 wrote to memory of 2704 1768 WScript.exe run.exe PID 2704 wrote to memory of 3204 2704 run.exe cmd.exe PID 2704 wrote to memory of 3204 2704 run.exe cmd.exe PID 2704 wrote to memory of 3204 2704 run.exe cmd.exe PID 2704 wrote to memory of 636 2704 run.exe cmd.exe PID 2704 wrote to memory of 636 2704 run.exe cmd.exe PID 2704 wrote to memory of 636 2704 run.exe cmd.exe PID 2704 wrote to memory of 4696 2704 run.exe cmd.exe PID 2704 wrote to memory of 4696 2704 run.exe cmd.exe PID 2704 wrote to memory of 4696 2704 run.exe cmd.exe PID 4696 wrote to memory of 3648 4696 cmd.exe attrib.exe PID 4696 wrote to memory of 3648 4696 cmd.exe attrib.exe PID 4696 wrote to memory of 3648 4696 cmd.exe attrib.exe PID 2704 wrote to memory of 3460 2704 run.exe cmd.exe PID 2704 wrote to memory of 3460 2704 run.exe cmd.exe PID 2704 wrote to memory of 3460 2704 run.exe cmd.exe PID 2704 wrote to memory of 4836 2704 run.exe cmd.exe PID 2704 wrote to memory of 4836 2704 run.exe cmd.exe PID 2704 wrote to memory of 4836 2704 run.exe cmd.exe PID 2704 wrote to memory of 4832 2704 run.exe cmd.exe PID 2704 wrote to memory of 4832 2704 run.exe cmd.exe PID 2704 wrote to memory of 4832 2704 run.exe cmd.exe PID 2704 wrote to memory of 4924 2704 run.exe cmd.exe PID 2704 wrote to memory of 4924 2704 run.exe cmd.exe PID 2704 wrote to memory of 4924 2704 run.exe cmd.exe PID 2704 wrote to memory of 376 2704 run.exe cmd.exe PID 2704 wrote to memory of 376 2704 run.exe cmd.exe PID 2704 wrote to memory of 376 2704 run.exe cmd.exe PID 2704 wrote to memory of 5116 2704 run.exe cmd.exe PID 2704 wrote to memory of 5116 2704 run.exe cmd.exe PID 2704 wrote to memory of 5116 2704 run.exe cmd.exe PID 2704 wrote to memory of 1600 2704 run.exe cmd.exe PID 2704 wrote to memory of 1600 2704 run.exe cmd.exe PID 2704 wrote to memory of 1600 2704 run.exe cmd.exe PID 2704 wrote to memory of 952 2704 run.exe cmd.exe PID 2704 wrote to memory of 952 2704 run.exe cmd.exe PID 2704 wrote to memory of 952 2704 run.exe cmd.exe PID 2704 wrote to memory of 3928 2704 run.exe cmd.exe PID 2704 wrote to memory of 3928 2704 run.exe cmd.exe PID 2704 wrote to memory of 3928 2704 run.exe cmd.exe PID 2704 wrote to memory of 1312 2704 run.exe cmd.exe PID 2704 wrote to memory of 1312 2704 run.exe cmd.exe PID 2704 wrote to memory of 1312 2704 run.exe cmd.exe PID 1312 wrote to memory of 1000 1312 cmd.exe data.exe PID 1312 wrote to memory of 1000 1312 cmd.exe data.exe PID 1312 wrote to memory of 1000 1312 cmd.exe data.exe PID 1000 wrote to memory of 3640 1000 data.exe WScript.exe PID 1000 wrote to memory of 3640 1000 data.exe WScript.exe PID 1000 wrote to memory of 3640 1000 data.exe WScript.exe PID 3640 wrote to memory of 1964 3640 WScript.exe cmd.exe PID 3640 wrote to memory of 1964 3640 WScript.exe cmd.exe PID 3640 wrote to memory of 1964 3640 WScript.exe cmd.exe PID 1964 wrote to memory of 392 1964 cmd.exe taskkill.exe PID 1964 wrote to memory of 392 1964 cmd.exe taskkill.exe PID 1964 wrote to memory of 392 1964 cmd.exe taskkill.exe PID 1964 wrote to memory of 1304 1964 cmd.exe taskkill.exe PID 1964 wrote to memory of 1304 1964 cmd.exe taskkill.exe PID 1964 wrote to memory of 1304 1964 cmd.exe taskkill.exe PID 1964 wrote to memory of 4984 1964 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1468 attrib.exe 3648 attrib.exe 4968 attrib.exe 2256 attrib.exe 3752 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe"C:\Users\Admin\AppData\Local\Temp\6f739d47289850c7a57d4216497900f82d5c361630adace4f879e9e09582f2d1.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows\control\start.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"4⤵PID:3204
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"4⤵PID:636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp4⤵
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp5⤵
- Views/modifies file attributes
PID:3648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4836
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4832
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:4924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:376
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:5116
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat"4⤵PID:952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe"4⤵PID:3928
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat "C:\Users\Admin\AppData\Roaming\Windows\control\run.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Roaming\Windows\control\data.exedata.exe -p4387548329574239857234 -d C:\Log5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Log\start.vbs"6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Log\install.bat" "7⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:392 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1304 -
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f8⤵PID:4984
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RMS"8⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:4968 -
C:\Windows\SysWOW64\timeout.exetimeout 18⤵
- Delays execution with timeout.exe
PID:4788 -
C:\Windows\SysWOW64\timeout.exetimeout 28⤵
- Delays execution with timeout.exe
PID:2516 -
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RMS\*.*"8⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:2256 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Program Files\RMS\rfusclient.exe"8⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:3752 -
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Program Files\RMS\rutserv.exe"8⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1468 -
C:\Windows\SysWOW64\regedit.exeregedit /s regedit.reg8⤵
- Runs .reg file with regedit
PID:3448 -
C:\Program Files\RMS\rutserv.exerutserv.exe /silentinstall8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2804 -
C:\Program Files\RMS\rutserv.exerutserv.exe /firewall8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4184 -
C:\Program Files\RMS\rutserv.exerutserv.exe /start8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5068 -
C:\Windows\SysWOW64\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
PID:4728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp17910.bat"4⤵PID:1628
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp26570.exe"4⤵PID:648
-
C:\Program Files\RMS\rutserv.exe"C:\Program Files\RMS\rutserv.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2476 -
C:\Program Files\RMS\rfusclient.exe"C:\Program Files\RMS\rfusclient.exe" /tray2⤵
- Executes dropped EXE
PID:5056 -
C:\Program Files\RMS\rfusclient.exe"C:\Program Files\RMS\rfusclient.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:432 -
C:\Program Files\RMS\rfusclient.exe"C:\Program Files\RMS\rfusclient.exe" /tray3⤵
- Executes dropped EXE
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
959B
MD5f02f205c3aa7e6344e02d9ae24e0c1d8
SHA1922a9ac42cfe6cf4a8c92b1c8f0966aa06bd16db
SHA256e7a8b3a79a24e96abdbc31fa6e5888d9a7486f161fd99aa0211d39856bcd8f99
SHA5128af98e7d161eb0bb90d8eee6f5ec424c029a62ae04fa6787de926044008db09f4a62eea2cf69c889cec219114d45fd15f0a729a27a688c5275b545f4280cfa9a
-
Filesize
12KB
MD54c8a6b9bfbfb9af122a791330e33dbc5
SHA177583460b3cbe89c77569cc6d8f701903069072e
SHA256245ce8372b8a88ccad7e79600d9fe737f53f0a61b1951aa849b2a0bb7971eda0
SHA512a37731d92e7ae803ce84dbf32806642df0895673e57dad131c799a6626fbc504eb1843dac9236eb61e17da381d853c20e1cc023b3db023adc4dc85667433f4c4
-
Filesize
5.1MB
MD5e3c15e4d44c2b546d640b5808a9a2818
SHA1090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494
-
Filesize
48KB
MD537b80cc200e62cdb350f7c86ee61264c
SHA135885999a4dc527dfc6d67079c5f82dd4759d78d
SHA2565c394e7f7e6571ea2de8ebf23d087d452ccfda4b7468db793ce11cafac3e92a1
SHA5127c1831fdf6584eab78d63245295014ab9361fbfe30c4304c11b4d8ce3eca784d2528c3a3d5183bc05118ab4054ae90cfcfe6a7b1f666839dc45acf5bc4ac2481
-
Filesize
6.0MB
MD58f6e38cc55206473121c8bf63fcbcf2d
SHA135504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9
-
Filesize
117B
MD565fc32766a238ff3e95984e325357dbb
SHA13ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608
-
Filesize
378KB
MD5d43fa82fab5337ce20ad14650085c5d9
SHA1678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d
-
Filesize
1.6MB
MD5dab4646806dfca6d0e0b4d80fa9209d6
SHA18244dfe22ec2090eee89dad103e6b2002059d16a
SHA256cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7
-
Filesize
12KB
MD54c8a6b9bfbfb9af122a791330e33dbc5
SHA177583460b3cbe89c77569cc6d8f701903069072e
SHA256245ce8372b8a88ccad7e79600d9fe737f53f0a61b1951aa849b2a0bb7971eda0
SHA512a37731d92e7ae803ce84dbf32806642df0895673e57dad131c799a6626fbc504eb1843dac9236eb61e17da381d853c20e1cc023b3db023adc4dc85667433f4c4
-
Filesize
5.1MB
MD5e3c15e4d44c2b546d640b5808a9a2818
SHA1090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494
-
Filesize
5.1MB
MD5e3c15e4d44c2b546d640b5808a9a2818
SHA1090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494
-
Filesize
5.1MB
MD5e3c15e4d44c2b546d640b5808a9a2818
SHA1090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494
-
Filesize
5.1MB
MD5e3c15e4d44c2b546d640b5808a9a2818
SHA1090f6f75558614f19b970df39ebe1a87185f5a0c
SHA256b6daf91fc45307fff001a61b9402ad19bd59dd72541427d39207991be6679219
SHA512c5864116e95533d599ab8ee9a36b71ea38275fcc5e076489116cc1caea31fdd0c81cf2b5ea43e244ee38a92099e0388a042c7604f1deb2e4c6caf29a3314a494
-
Filesize
48KB
MD537b80cc200e62cdb350f7c86ee61264c
SHA135885999a4dc527dfc6d67079c5f82dd4759d78d
SHA2565c394e7f7e6571ea2de8ebf23d087d452ccfda4b7468db793ce11cafac3e92a1
SHA5127c1831fdf6584eab78d63245295014ab9361fbfe30c4304c11b4d8ce3eca784d2528c3a3d5183bc05118ab4054ae90cfcfe6a7b1f666839dc45acf5bc4ac2481
-
Filesize
6.0MB
MD58f6e38cc55206473121c8bf63fcbcf2d
SHA135504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9
-
Filesize
6.0MB
MD58f6e38cc55206473121c8bf63fcbcf2d
SHA135504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9
-
Filesize
6.0MB
MD58f6e38cc55206473121c8bf63fcbcf2d
SHA135504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9
-
Filesize
6.0MB
MD58f6e38cc55206473121c8bf63fcbcf2d
SHA135504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9
-
Filesize
6.0MB
MD58f6e38cc55206473121c8bf63fcbcf2d
SHA135504ce4bc1cea9e737a3be108cd428ab2251e1d
SHA256fa1d176073d43c82ffe25b20401efddb018317cdd468d160d90c950641cdad57
SHA512083e795d1668277428d5fa89fcc136a13f411483457403fdbba0df557b45360ea24d5ac7b45ae74b10f01adde22ad8ac2563d9c088f42c14b61e85a664815ab9
-
Filesize
378KB
MD5d43fa82fab5337ce20ad14650085c5d9
SHA1678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d
-
Filesize
1.6MB
MD5dab4646806dfca6d0e0b4d80fa9209d6
SHA18244dfe22ec2090eee89dad103e6b2002059d16a
SHA256cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7
-
Filesize
231B
MD5b4e641b6d4270e78c83ca4b207b80325
SHA147a5202e6b8c8d3577f37a9923bc820d0c7a0864
SHA2566d480e4d29dcfd48e33a2bf7d41a1d4a8079e90251913a6780b307f35fd74c02
SHA512470e783f0999ecbb43ebe40332cda8ba02b99efc9384cb269fedf986f74d9209278e5e8b83e3793ca3a733c3374a87e7529f30c91c315692d972d2445fbb48b9
-
Filesize
15B
MD53c52638971ead82b5929d605c1314ee0
SHA17318148a40faca203ac402dff51bbb04e638545c
SHA2565614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab
SHA51246f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b
-
Filesize
4.2MB
MD58073902d5731af195706c0737d42337b
SHA1ee501e11ecf3d14f59d54750de7f35af663e6bb9
SHA256511e239339255dc29b68ee438b7889e0e437d011dda6b5f715c73ceab9a42d2a
SHA512ac0ee5a5fb9eb5e52a84683bbbda52d9dc1606e714cded78b18da738db803c61fa197b7c15cbf786c4722af04d42bb1d9e3eade823cf09d6ed069b17124c3241
-
Filesize
4.2MB
MD58073902d5731af195706c0737d42337b
SHA1ee501e11ecf3d14f59d54750de7f35af663e6bb9
SHA256511e239339255dc29b68ee438b7889e0e437d011dda6b5f715c73ceab9a42d2a
SHA512ac0ee5a5fb9eb5e52a84683bbbda52d9dc1606e714cded78b18da738db803c61fa197b7c15cbf786c4722af04d42bb1d9e3eade823cf09d6ed069b17124c3241
-
Filesize
96KB
MD55f56f53c24ea5f9bda096511228c9e40
SHA11103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA2564ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb
-
Filesize
96KB
MD55f56f53c24ea5f9bda096511228c9e40
SHA11103ed5f6571a334dfae63fefeb0d1f3a2a616c2
SHA2564ae925d4b3bb61c460e8a91174e5d3a0e24df5c7d660ed63bce3272c91359ba4
SHA512a621859008c1f38f0c9ea53dbbfc82ccdca9bcdf402d2ac868a202f2bb39d4cef5338cf69df30980aa4d5bea0c062f4be26f00f3b56979920863445e980f4ecb
-
Filesize
113B
MD57c274b85448ea218e5c6d5521876f698
SHA1bdd771453446e1e8654985f5c4b7ebb0bb9ada4d
SHA256427b7d229ae6a8717edb0e5cc156c2025d0d737400d6a22d5de9d4504b7b3185
SHA5123c0a482e3f5b628cccae9730fb7fbf2f9e8c6fb7d8c52d39beffe8b3a3de184d2df6d5fa412801eca6cf80a7ee8109394e4918c467af88dac767462f01051df6