Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16/09/2022, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe
Resource
win10v2004-20220812-en
General
-
Target
fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe
-
Size
305KB
-
MD5
a7131ea3c8092b156ca4a085cfaae261
-
SHA1
de143d8b3ab3770323b952304604d269721be992
-
SHA256
fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a
-
SHA512
3ea7ee70b44411dc174f94dba563efadd408f06ae2b6bc72ce277edf92be867a16b5b20c2630d3d3738fd774d7a833f8086b88ba61dd31adeb6837e1783acd12
-
SSDEEP
3072:OyhXtgjCIS23LqVaMKmJRw6dbPO2kW5P40UdYk0KjPgrTHM/h3BsxkgaBChU/pZn:jFtYLvMEuO2Ro90AorTHnigabwVf
Malware Config
Extracted
djvu
http://acacaca.org/lancer/get.php
-
extension
.eebn
-
offline_id
5IVlpkccZlJz0AZ5atgGWVKe9CGAnXjohDf40mt1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-0e5rCKsYCc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0561Jhyjd
Extracted
raccoon
7394a7fc5da9794209d8b0503ca4abf4
http://94.131.106.59
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e2c5d4ca-c41e-4649-9668-3f9523b7cbb7\\17DD.exe\" --AutoStart" 17DD.exe 2328 schtasks.exe 2128 schtasks.exe -
Detected Djvu ransomware 10 IoCs
resource yara_rule behavioral1/memory/1772-160-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4048-159-0x00000000021E0000-0x00000000022FB000-memory.dmp family_djvu behavioral1/memory/1772-157-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1772-155-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1772-162-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1772-169-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4432-174-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4432-176-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4432-177-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4432-202-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/928-133-0x00000000005E0000-0x00000000005E9000-memory.dmp family_smokeloader -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 4048 17DD.exe 3196 1A8F.exe 1772 17DD.exe 2100 17DD.exe 4432 17DD.exe 1140 build2.exe 1008 build3.exe 1464 mstsca.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 17DD.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 17DD.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 1A8F.exe -
Loads dropped DLL 5 IoCs
pid Process 3180 regsvr32.exe 3180 regsvr32.exe 2752 InstallUtil.exe 2752 InstallUtil.exe 2752 InstallUtil.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 820 icacls.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e2c5d4ca-c41e-4649-9668-3f9523b7cbb7\\17DD.exe\" --AutoStart" 17DD.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 api.2ip.ua 21 api.2ip.ua 22 api.2ip.ua -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4048 set thread context of 1772 4048 17DD.exe 92 PID 2100 set thread context of 4432 2100 17DD.exe 97 PID 3196 set thread context of 2752 3196 1A8F.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2128 schtasks.exe 2328 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 928 fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe 928 fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2684 Process not Found -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 928 fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe 2684 Process not Found 2684 Process not Found 2684 Process not Found 2684 Process not Found -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 2684 Process not Found Token: SeCreatePagefilePrivilege 2684 Process not Found Token: SeDebugPrivilege 3196 1A8F.exe Token: SeShutdownPrivilege 2684 Process not Found Token: SeCreatePagefilePrivilege 2684 Process not Found Token: SeDebugPrivilege 1624 powershell.exe Token: SeShutdownPrivilege 2684 Process not Found Token: SeCreatePagefilePrivilege 2684 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 4048 2684 Process not Found 86 PID 2684 wrote to memory of 4048 2684 Process not Found 86 PID 2684 wrote to memory of 4048 2684 Process not Found 86 PID 2684 wrote to memory of 2220 2684 Process not Found 87 PID 2684 wrote to memory of 2220 2684 Process not Found 87 PID 2684 wrote to memory of 3196 2684 Process not Found 89 PID 2684 wrote to memory of 3196 2684 Process not Found 89 PID 2684 wrote to memory of 3196 2684 Process not Found 89 PID 2220 wrote to memory of 3180 2220 regsvr32.exe 88 PID 2220 wrote to memory of 3180 2220 regsvr32.exe 88 PID 2220 wrote to memory of 3180 2220 regsvr32.exe 88 PID 2684 wrote to memory of 4552 2684 Process not Found 90 PID 2684 wrote to memory of 4552 2684 Process not Found 90 PID 2684 wrote to memory of 4552 2684 Process not Found 90 PID 2684 wrote to memory of 4552 2684 Process not Found 90 PID 2684 wrote to memory of 2212 2684 Process not Found 91 PID 2684 wrote to memory of 2212 2684 Process not Found 91 PID 2684 wrote to memory of 2212 2684 Process not Found 91 PID 4048 wrote to memory of 1772 4048 17DD.exe 92 PID 4048 wrote to memory of 1772 4048 17DD.exe 92 PID 4048 wrote to memory of 1772 4048 17DD.exe 92 PID 4048 wrote to memory of 1772 4048 17DD.exe 92 PID 4048 wrote to memory of 1772 4048 17DD.exe 92 PID 4048 wrote to memory of 1772 4048 17DD.exe 92 PID 4048 wrote to memory of 1772 4048 17DD.exe 92 PID 4048 wrote to memory of 1772 4048 17DD.exe 92 PID 4048 wrote to memory of 1772 4048 17DD.exe 92 PID 4048 wrote to memory of 1772 4048 17DD.exe 92 PID 1772 wrote to memory of 820 1772 17DD.exe 94 PID 1772 wrote to memory of 820 1772 17DD.exe 94 PID 1772 wrote to memory of 820 1772 17DD.exe 94 PID 1772 wrote to memory of 2100 1772 17DD.exe 95 PID 1772 wrote to memory of 2100 1772 17DD.exe 95 PID 1772 wrote to memory of 2100 1772 17DD.exe 95 PID 2100 wrote to memory of 4432 2100 17DD.exe 97 PID 2100 wrote to memory of 4432 2100 17DD.exe 97 PID 2100 wrote to memory of 4432 2100 17DD.exe 97 PID 2100 wrote to memory of 4432 2100 17DD.exe 97 PID 2100 wrote to memory of 4432 2100 17DD.exe 97 PID 2100 wrote to memory of 4432 2100 17DD.exe 97 PID 2100 wrote to memory of 4432 2100 17DD.exe 97 PID 2100 wrote to memory of 4432 2100 17DD.exe 97 PID 2100 wrote to memory of 4432 2100 17DD.exe 97 PID 2100 wrote to memory of 4432 2100 17DD.exe 97 PID 3196 wrote to memory of 1624 3196 1A8F.exe 98 PID 3196 wrote to memory of 1624 3196 1A8F.exe 98 PID 3196 wrote to memory of 1624 3196 1A8F.exe 98 PID 4432 wrote to memory of 1140 4432 17DD.exe 100 PID 4432 wrote to memory of 1140 4432 17DD.exe 100 PID 4432 wrote to memory of 1140 4432 17DD.exe 100 PID 4432 wrote to memory of 1008 4432 17DD.exe 101 PID 4432 wrote to memory of 1008 4432 17DD.exe 101 PID 4432 wrote to memory of 1008 4432 17DD.exe 101 PID 1008 wrote to memory of 2128 1008 build3.exe 102 PID 1008 wrote to memory of 2128 1008 build3.exe 102 PID 1008 wrote to memory of 2128 1008 build3.exe 102 PID 3196 wrote to memory of 2752 3196 1A8F.exe 104 PID 3196 wrote to memory of 2752 3196 1A8F.exe 104 PID 3196 wrote to memory of 2752 3196 1A8F.exe 104 PID 3196 wrote to memory of 2752 3196 1A8F.exe 104 PID 3196 wrote to memory of 2752 3196 1A8F.exe 104 PID 3196 wrote to memory of 2752 3196 1A8F.exe 104 PID 3196 wrote to memory of 2752 3196 1A8F.exe 104 PID 3196 wrote to memory of 2752 3196 1A8F.exe 104 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe"C:\Users\Admin\AppData\Local\Temp\fdb2a73153896bd75d84bead757d57d6ca21b6ad4826851fec7475f17a74aa2a.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:928
-
C:\Users\Admin\AppData\Local\Temp\17DD.exeC:\Users\Admin\AppData\Local\Temp\17DD.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\17DD.exeC:\Users\Admin\AppData\Local\Temp\17DD.exe2⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\e2c5d4ca-c41e-4649-9668-3f9523b7cbb7" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:820
-
-
C:\Users\Admin\AppData\Local\Temp\17DD.exe"C:\Users\Admin\AppData\Local\Temp\17DD.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\17DD.exe"C:\Users\Admin\AppData\Local\Temp\17DD.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\2e6bf31f-ac9f-44bd-9158-a96556965657\build2.exe"C:\Users\Admin\AppData\Local\2e6bf31f-ac9f-44bd-9158-a96556965657\build2.exe"5⤵
- Executes dropped EXE
PID:1140
-
-
C:\Users\Admin\AppData\Local\2e6bf31f-ac9f-44bd-9158-a96556965657\build3.exe"C:\Users\Admin\AppData\Local\2e6bf31f-ac9f-44bd-9158-a96556965657\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"6⤵
- DcRat
- Creates scheduled task(s)
PID:2128
-
-
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1994.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1994.dll2⤵
- Loads dropped DLL
PID:3180
-
-
C:\Users\Admin\AppData\Local\Temp\1A8F.exeC:\Users\Admin\AppData\Local\Temp\1A8F.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA==2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Loads dropped DLL
PID:2752
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:4552
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2212
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"2⤵
- DcRat
- Creates scheduled task(s)
PID:2328
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize2KB
MD5ea3ead1b160922fb25b1b9d766a56fa5
SHA19f61cb0a5a80fa5ba776f71fed4728d002d3aca1
SHA2564080213fba647d43c0ac02710ac7b631c23f8f791930016045cda9aeec1b6867
SHA512ec817bdc668bff4c266ca8b6a6c4068251926714262a95f9ac7f7565e2d66a26371589182d0ba1d03fa482d99430b865cb7eb24becf92b72e45f20b26a215c15
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5e9e482bf825221326b7c080ef52e5036
SHA167244c170dad567630298f89364a5e9626e2517a
SHA25660843d5086f10e833ca98696967f1a39ea04a2ffee6d87679b5803092b9cfa71
SHA512c7a5fd63c0faa2a5cd8be90c7dcf10d8dd564964dc4b8ab4fa1a7a188fa89094563f595c94f4ea133582cfbcf9cc90cb74bd273924b7fa5eadae868bced51440
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize488B
MD5af3e4fbac91607f14276d2e1d34b7395
SHA1c8dce8a820136a371a75427d4aa092724c01b7dd
SHA256285cc5c88f9d89ebb7a56d86618eeeb7d4e0fe1e83d2eccb9a4b345031b7c648
SHA512a5a8f7e05bed8414bae017657bc27d079ac64697459c018e045b39fb7f373e2547687fec5ef849e2f14f9d2e474c7c4b3467458d95675756f9e4ff6f2eeedc32
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD570582d9392422af94699b8e4e4a80c71
SHA15a19076946435f06e9e2a4026d65fda20758df72
SHA256776523b52e1c91d6ab62d411db82aded5e2680c96844eeb747cb228953669c44
SHA5124c9934a6e10e5d6025eced13f43b5238927439f895f8a070006fc60362c15178b98e523074e1dc854486f2d0a5934c976b491b84b7d2e61833de0908ac543aa7
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
376KB
MD58b01bb02b7aeb097ba96dc7628575ca0
SHA111046fb024f695b1dc7a3a0be9167cb4e85548c6
SHA2567abb4b2423a93fa4b7a2cd19bcc854cc96d2e9ed20c13b86c39f49fe7cb80e4a
SHA51264cd772d4e319255e32909577ac137966cd47bd295aa3a61a76e52d651d80d313a3cfee7ea88d703bb293931a91558161184de2b76f8e5d9a2358a065c5c5f35
-
Filesize
376KB
MD58b01bb02b7aeb097ba96dc7628575ca0
SHA111046fb024f695b1dc7a3a0be9167cb4e85548c6
SHA2567abb4b2423a93fa4b7a2cd19bcc854cc96d2e9ed20c13b86c39f49fe7cb80e4a
SHA51264cd772d4e319255e32909577ac137966cd47bd295aa3a61a76e52d651d80d313a3cfee7ea88d703bb293931a91558161184de2b76f8e5d9a2358a065c5c5f35
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
1.7MB
MD5d80ebc640cfb85e684404edafa30a94e
SHA19b53131ea4f2e65dcafb601d7e6965e27bfcfc31
SHA256a82e11e5cf02291010e9861c6d54beeae649cf9fb313b839296d56b451a7dde2
SHA512ba6ac688263d095a68be8e52dc7163202b199ef9858758115396757ed3799839ed889cd0cfeb051ee16fd6b3cbd032c803f2699048be69a34a9da5c03d5fbdf8
-
Filesize
1.7MB
MD5d80ebc640cfb85e684404edafa30a94e
SHA19b53131ea4f2e65dcafb601d7e6965e27bfcfc31
SHA256a82e11e5cf02291010e9861c6d54beeae649cf9fb313b839296d56b451a7dde2
SHA512ba6ac688263d095a68be8e52dc7163202b199ef9858758115396757ed3799839ed889cd0cfeb051ee16fd6b3cbd032c803f2699048be69a34a9da5c03d5fbdf8
-
Filesize
1.7MB
MD5d80ebc640cfb85e684404edafa30a94e
SHA19b53131ea4f2e65dcafb601d7e6965e27bfcfc31
SHA256a82e11e5cf02291010e9861c6d54beeae649cf9fb313b839296d56b451a7dde2
SHA512ba6ac688263d095a68be8e52dc7163202b199ef9858758115396757ed3799839ed889cd0cfeb051ee16fd6b3cbd032c803f2699048be69a34a9da5c03d5fbdf8
-
Filesize
229KB
MD5a2370ca56445054a0985a0972e0040ca
SHA1823a2bd23f749a26ce4743279d5d85129830f2fc
SHA256ae769b328bb61b642ba1177d138f8732be2e27fd91af5e226dc99b88bb35bdcb
SHA512666a9cb47607dd9c0c2928a83ea830939371cee0cfc21ec6964acb26c14268eef37e9417740f5ce6d86312d301532c989b2b576086182e37c2fd1db6a2e71728
-
Filesize
229KB
MD5a2370ca56445054a0985a0972e0040ca
SHA1823a2bd23f749a26ce4743279d5d85129830f2fc
SHA256ae769b328bb61b642ba1177d138f8732be2e27fd91af5e226dc99b88bb35bdcb
SHA512666a9cb47607dd9c0c2928a83ea830939371cee0cfc21ec6964acb26c14268eef37e9417740f5ce6d86312d301532c989b2b576086182e37c2fd1db6a2e71728
-
Filesize
785KB
MD545df0a893e5dbc77c41915371b9ae368
SHA142437f551289dc890904df6701db9c9d5d773b65
SHA25614ff209880429fd29f64be4a517206d4aeb131c98d25d40c447f8f29c4ae54a9
SHA5121d0271c5ecb76f424b098735e4010242dd7b1534e01ea09989934a01561cedae9309d9c4dcb1fecb8dda35f59d644e2f4cffbfbb75cc136cf0e27f2f9db9512c
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a
-
Filesize
9KB
MD59ead10c08e72ae41921191f8db39bc16
SHA1abe3bce01cd34afc88e2c838173f8c2bd0090ae1
SHA2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0
SHA512aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a