Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 08:36
Static task
static1
Behavioral task
behavioral1
Sample
f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe
Resource
win10v2004-20220901-en
General
-
Target
f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe
-
Size
285KB
-
MD5
0ddbed09443dac4316238573b3ad82e8
-
SHA1
84e984a32e29cf88a9fbf55e7080bf7356c04b4b
-
SHA256
f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5
-
SHA512
f8738527b1f997597ef356ea5b95775a4a4e02b5c4d786a5365655fb918642b9984c562442e5ad532a945aa5c92e901c38333a17ff5b29cc51e54d289a8abcb2
-
SSDEEP
3072:PzZh4UWvnNLZla5ka5buhYta9bRlFu42FOTvMIvM/h3:sUWvnNLZla5OhIM9OwAc
Malware Config
Extracted
redline
slovarik15btc
78.153.144.3:2510
-
auth_value
bfedad55292538ad3edd07ac95ad8952
Extracted
redline
Google2
167.235.71.14:20469
-
auth_value
fb274d9691235ba015830da570a13578
Signatures
-
Detect Amadey credential stealer module 2 IoCs
resource yara_rule behavioral1/files/0x0003000000000721-257.dat amadey_cred_module behavioral1/files/0x0003000000000721-258.dat amadey_cred_module -
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1612-133-0x0000000002E90000-0x0000000002E99000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/memory/3684-140-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/1380-148-0x0000000000BE0000-0x0000000000C99000-memory.dmp family_redline behavioral1/memory/1028-153-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/4988-161-0x0000000000DE0000-0x0000000000E98000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 48 3636 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
pid Process 1380 664B.exe 4988 694A.exe 4400 6BEB.exe 2152 72E1.exe 4388 eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe 4492 rovwer.exe 4752 LYKAA.exe 1072 A184.exe 3380 rovwer.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 72E1.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 6BEB.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation LYKAA.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 1 IoCs
pid Process 3636 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1380 set thread context of 3684 1380 664B.exe 85 PID 4988 set thread context of 1028 4988 694A.exe 90 PID 4752 set thread context of 1820 4752 LYKAA.exe 121 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4540 4400 WerFault.exe 88 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1700 schtasks.exe 4016 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2480 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1612 f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe 1612 f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2440 Process not Found -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 1612 f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found 2440 Process not Found -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeDebugPrivilege 4388 eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeDebugPrivilege 1028 vbc.exe Token: SeDebugPrivilege 3684 vbc.exe Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeDebugPrivilege 4752 LYKAA.exe Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found Token: SeShutdownPrivilege 2440 Process not Found Token: SeCreatePagefilePrivilege 2440 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 1380 2440 Process not Found 84 PID 2440 wrote to memory of 1380 2440 Process not Found 84 PID 2440 wrote to memory of 1380 2440 Process not Found 84 PID 1380 wrote to memory of 3684 1380 664B.exe 85 PID 1380 wrote to memory of 3684 1380 664B.exe 85 PID 1380 wrote to memory of 3684 1380 664B.exe 85 PID 1380 wrote to memory of 3684 1380 664B.exe 85 PID 2440 wrote to memory of 4988 2440 Process not Found 86 PID 2440 wrote to memory of 4988 2440 Process not Found 86 PID 2440 wrote to memory of 4988 2440 Process not Found 86 PID 1380 wrote to memory of 3684 1380 664B.exe 85 PID 2440 wrote to memory of 4400 2440 Process not Found 88 PID 2440 wrote to memory of 4400 2440 Process not Found 88 PID 2440 wrote to memory of 4400 2440 Process not Found 88 PID 4988 wrote to memory of 1028 4988 694A.exe 90 PID 4988 wrote to memory of 1028 4988 694A.exe 90 PID 4988 wrote to memory of 1028 4988 694A.exe 90 PID 4988 wrote to memory of 1028 4988 694A.exe 90 PID 4988 wrote to memory of 1028 4988 694A.exe 90 PID 2440 wrote to memory of 2152 2440 Process not Found 91 PID 2440 wrote to memory of 2152 2440 Process not Found 91 PID 2152 wrote to memory of 4388 2152 72E1.exe 92 PID 2152 wrote to memory of 4388 2152 72E1.exe 92 PID 4388 wrote to memory of 4496 4388 eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe 93 PID 4388 wrote to memory of 4496 4388 eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe 93 PID 4496 wrote to memory of 2480 4496 cmd.exe 95 PID 4496 wrote to memory of 2480 4496 cmd.exe 95 PID 4400 wrote to memory of 4492 4400 6BEB.exe 98 PID 4400 wrote to memory of 4492 4400 6BEB.exe 98 PID 4400 wrote to memory of 4492 4400 6BEB.exe 98 PID 4496 wrote to memory of 4752 4496 cmd.exe 101 PID 4496 wrote to memory of 4752 4496 cmd.exe 101 PID 2440 wrote to memory of 1072 2440 Process not Found 102 PID 2440 wrote to memory of 1072 2440 Process not Found 102 PID 2440 wrote to memory of 1072 2440 Process not Found 102 PID 2440 wrote to memory of 4056 2440 Process not Found 103 PID 2440 wrote to memory of 4056 2440 Process not Found 103 PID 2440 wrote to memory of 4056 2440 Process not Found 103 PID 2440 wrote to memory of 4056 2440 Process not Found 103 PID 2440 wrote to memory of 4252 2440 Process not Found 104 PID 2440 wrote to memory of 4252 2440 Process not Found 104 PID 2440 wrote to memory of 4252 2440 Process not Found 104 PID 4752 wrote to memory of 4904 4752 LYKAA.exe 106 PID 4752 wrote to memory of 4904 4752 LYKAA.exe 106 PID 2440 wrote to memory of 480 2440 Process not Found 107 PID 2440 wrote to memory of 480 2440 Process not Found 107 PID 2440 wrote to memory of 480 2440 Process not Found 107 PID 2440 wrote to memory of 480 2440 Process not Found 107 PID 4904 wrote to memory of 1700 4904 cmd.exe 108 PID 4904 wrote to memory of 1700 4904 cmd.exe 108 PID 2440 wrote to memory of 1548 2440 Process not Found 109 PID 2440 wrote to memory of 1548 2440 Process not Found 109 PID 2440 wrote to memory of 1548 2440 Process not Found 109 PID 4492 wrote to memory of 4016 4492 rovwer.exe 111 PID 4492 wrote to memory of 4016 4492 rovwer.exe 111 PID 4492 wrote to memory of 4016 4492 rovwer.exe 111 PID 2440 wrote to memory of 4088 2440 Process not Found 112 PID 2440 wrote to memory of 4088 2440 Process not Found 112 PID 2440 wrote to memory of 4088 2440 Process not Found 112 PID 2440 wrote to memory of 4088 2440 Process not Found 112 PID 2440 wrote to memory of 3824 2440 Process not Found 114 PID 2440 wrote to memory of 3824 2440 Process not Found 114 PID 2440 wrote to memory of 3824 2440 Process not Found 114 PID 2440 wrote to memory of 3824 2440 Process not Found 114 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe"C:\Users\Admin\AppData\Local\Temp\f4e09350c8a8ba77279ab7aa9bd9b27629d0d59c668cf1b60e88d4aaeb8f23e5.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1612
-
C:\Users\Admin\AppData\Local\Temp\664B.exeC:\Users\Admin\AppData\Local\Temp\664B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-
C:\Users\Admin\AppData\Local\Temp\694A.exeC:\Users\Admin\AppData\Local\Temp\694A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Users\Admin\AppData\Local\Temp\6BEB.exeC:\Users\Admin\AppData\Local\Temp\6BEB.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe" /F3⤵
- Creates scheduled task(s)
PID:4016
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:3636
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 12682⤵
- Program crash
PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\72E1.exeC:\Users\Admin\AppData\Local\Temp\72E1.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Roaming\eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe"C:\Users\Admin\AppData\Roaming\eChAhUSSeAssSUSUfHuUCeAKCsFHHKsHFBAKhAKFsCBFEFKHCHESfBS.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7DBB.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:2480
-
-
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"6⤵
- Creates scheduled task(s)
PID:1700
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs002 -p hybrid -t 55⤵PID:1820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls6⤵PID:3440
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4400 -ip 44001⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\A184.exeC:\Users\Admin\AppData\Local\Temp\A184.exe1⤵
- Executes dropped EXE
PID:1072
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4056
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4252
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:480
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1548
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4088
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3824
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3984
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4472
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exeC:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe1⤵
- Executes dropped EXE
PID:3380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
837KB
MD5e620507c28834b337195ca9d35c4a79b
SHA15b80356e3066da91a8193493c9fbfc37e259c226
SHA256703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b
SHA512123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5
-
Filesize
837KB
MD5e620507c28834b337195ca9d35c4a79b
SHA15b80356e3066da91a8193493c9fbfc37e259c226
SHA256703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b
SHA512123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5
-
Filesize
2KB
MD58730644b84be7e133ab21f97a43c0117
SHA1ac45ce1b256bed8f94a55153c5acdf1c6438b72d
SHA2569562509765e4b604537ad94da94dfb7a675bc481e39ac98df0e245fa50a87169
SHA512d9f1a3479e4e362a7343213b2baaf4911b071effc066d3d8c07157116334f10f856823f937a1d768857af5186b826d4de2d7075a5e6a17fffaead7740348bf49
-
Filesize
725KB
MD5760ed14ca60734a59448b15a8c614143
SHA1f5e11928e3cee41f36bebae4da877bd310ef0c84
SHA2562b65876470639ac849a2ab66e83bb7d3db79ed0638331fbad9cd63eef3d19207
SHA5125b891917bda0d10fb7f73e61e6f2b410378c061f9900da9f4d4631028ed3619a2e5e8eba817d932b14272d32ecded1802b035c2356e6416e5ea39ae3da638212
-
Filesize
725KB
MD5760ed14ca60734a59448b15a8c614143
SHA1f5e11928e3cee41f36bebae4da877bd310ef0c84
SHA2562b65876470639ac849a2ab66e83bb7d3db79ed0638331fbad9cd63eef3d19207
SHA5125b891917bda0d10fb7f73e61e6f2b410378c061f9900da9f4d4631028ed3619a2e5e8eba817d932b14272d32ecded1802b035c2356e6416e5ea39ae3da638212
-
Filesize
725KB
MD5ab6c7ec51ca619fadef5df5722bf6689
SHA1460faa3061e5ceb05c4bb7dcb2f6dcc94ed44317
SHA256710cac71b68916ded1228658608f54bd6cb07123b913defea5f45458c2337fbb
SHA512f6aeebc27caa232876aa247c5dd08dad8e5d74cdadb98e0db2461c1beec200efc89c4e313852bb994c52fe91131f3898924e8fedc5f6a05f8bcc48f8f4c09128
-
Filesize
725KB
MD5ab6c7ec51ca619fadef5df5722bf6689
SHA1460faa3061e5ceb05c4bb7dcb2f6dcc94ed44317
SHA256710cac71b68916ded1228658608f54bd6cb07123b913defea5f45458c2337fbb
SHA512f6aeebc27caa232876aa247c5dd08dad8e5d74cdadb98e0db2461c1beec200efc89c4e313852bb994c52fe91131f3898924e8fedc5f6a05f8bcc48f8f4c09128
-
Filesize
319KB
MD517071fbadf6c77eeb8b72916a9801858
SHA1c60e2c97c477bd83e51224a05e542c29f85097d5
SHA25637467ec2eb26f8572499aafc4e2ef9c4b5c74f01bded95fd7cf924faa7f68058
SHA512461cbc0cde311c2fd335ba33495627d7cd0829a8cf6abb59777cbb1fc80eca2bc86f76209bf7a78c97f5d78642129a1b9712b45260cb911adfa245076177ac5a
-
Filesize
319KB
MD517071fbadf6c77eeb8b72916a9801858
SHA1c60e2c97c477bd83e51224a05e542c29f85097d5
SHA25637467ec2eb26f8572499aafc4e2ef9c4b5c74f01bded95fd7cf924faa7f68058
SHA512461cbc0cde311c2fd335ba33495627d7cd0829a8cf6abb59777cbb1fc80eca2bc86f76209bf7a78c97f5d78642129a1b9712b45260cb911adfa245076177ac5a
-
Filesize
1.1MB
MD5fc94f1745be2386dfa3b366c85087517
SHA111a5b56dec0c9a123384a7a1c71b724e79371c6f
SHA25662625350280734d5a4f3cc76ea43e398a880a61b9d5eaeafff36ef5a64146917
SHA512323d3af27ed930957842fda8bfc42ab0d3efa220c8023ee6583c3c735a1cd8c52248ba387155c76ea295ba600288f776d5a046ce0b1170b206dc4e2d6c4c4514
-
Filesize
1.1MB
MD5fc94f1745be2386dfa3b366c85087517
SHA111a5b56dec0c9a123384a7a1c71b724e79371c6f
SHA25662625350280734d5a4f3cc76ea43e398a880a61b9d5eaeafff36ef5a64146917
SHA512323d3af27ed930957842fda8bfc42ab0d3efa220c8023ee6583c3c735a1cd8c52248ba387155c76ea295ba600288f776d5a046ce0b1170b206dc4e2d6c4c4514
-
Filesize
11.4MB
MD5d5dfa0f5918b4c0e85d40ff7fd29245d
SHA13d695cf49eb94d2453cd4ec81292be074fc93a81
SHA256f49bd7f46ccd889892abd707c1dd93a5df65c1e0407afd3ad294ea27b030cad6
SHA512252877f0c50660e086b5711e206d948cd914391fe5cffe8cf5c555f551880ac03d8ed49cbd015378f5975a675953832620fee787fbb119c59d40ba637db94525
-
Filesize
11.4MB
MD5d5dfa0f5918b4c0e85d40ff7fd29245d
SHA13d695cf49eb94d2453cd4ec81292be074fc93a81
SHA256f49bd7f46ccd889892abd707c1dd93a5df65c1e0407afd3ad294ea27b030cad6
SHA512252877f0c50660e086b5711e206d948cd914391fe5cffe8cf5c555f551880ac03d8ed49cbd015378f5975a675953832620fee787fbb119c59d40ba637db94525
-
Filesize
319KB
MD517071fbadf6c77eeb8b72916a9801858
SHA1c60e2c97c477bd83e51224a05e542c29f85097d5
SHA25637467ec2eb26f8572499aafc4e2ef9c4b5c74f01bded95fd7cf924faa7f68058
SHA512461cbc0cde311c2fd335ba33495627d7cd0829a8cf6abb59777cbb1fc80eca2bc86f76209bf7a78c97f5d78642129a1b9712b45260cb911adfa245076177ac5a
-
Filesize
319KB
MD517071fbadf6c77eeb8b72916a9801858
SHA1c60e2c97c477bd83e51224a05e542c29f85097d5
SHA25637467ec2eb26f8572499aafc4e2ef9c4b5c74f01bded95fd7cf924faa7f68058
SHA512461cbc0cde311c2fd335ba33495627d7cd0829a8cf6abb59777cbb1fc80eca2bc86f76209bf7a78c97f5d78642129a1b9712b45260cb911adfa245076177ac5a
-
Filesize
319KB
MD517071fbadf6c77eeb8b72916a9801858
SHA1c60e2c97c477bd83e51224a05e542c29f85097d5
SHA25637467ec2eb26f8572499aafc4e2ef9c4b5c74f01bded95fd7cf924faa7f68058
SHA512461cbc0cde311c2fd335ba33495627d7cd0829a8cf6abb59777cbb1fc80eca2bc86f76209bf7a78c97f5d78642129a1b9712b45260cb911adfa245076177ac5a
-
Filesize
153B
MD5373df75aa457142d0157ed1b8eafc1ab
SHA1e77e14028b0ea3d557716b45f40f1bce967294a5
SHA256a15d0febe687ca9c7c5314828cc453b355ceb453d89b4e341f4173d6c8a09f29
SHA5127240b96b41fdcfb146a0e4707333f9d66d768dc912582c78f2ea361cf82ee6cd371a6f1513816d4ed7268c72d848c668677e9c9a367ac7f57e8ba1cf59d65318
-
Filesize
126KB
MD5e92a6a3a013a87cf57f3753d77a1b9c9
SHA101366b392cb71fed71f5bc1cd09e0f8c76657519
SHA25642a247529de63a9b43768ac145e38fe9da3adc8b2eed558e3ce11e5cd8bbc0e5
SHA512c59bab1bef238927fe8102cca6080f7b62e945254668201d0eaa49a64c6969e1f8eef65b2fea56d341035f0995b5c24907487351e4cde2b6baa5d49f5a192b57
-
Filesize
126KB
MD5e92a6a3a013a87cf57f3753d77a1b9c9
SHA101366b392cb71fed71f5bc1cd09e0f8c76657519
SHA25642a247529de63a9b43768ac145e38fe9da3adc8b2eed558e3ce11e5cd8bbc0e5
SHA512c59bab1bef238927fe8102cca6080f7b62e945254668201d0eaa49a64c6969e1f8eef65b2fea56d341035f0995b5c24907487351e4cde2b6baa5d49f5a192b57
-
Filesize
837KB
MD5e620507c28834b337195ca9d35c4a79b
SHA15b80356e3066da91a8193493c9fbfc37e259c226
SHA256703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b
SHA512123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5
-
Filesize
837KB
MD5e620507c28834b337195ca9d35c4a79b
SHA15b80356e3066da91a8193493c9fbfc37e259c226
SHA256703e1fb4de14b29eca7245d72f7ccf27e1cebb068f6381dc28c64661a4b5058b
SHA512123b25991a0951cdbd5a9e912db373c6924f465f3332d73c0a7ca0e3520aca84a6eefc1e2b0696f2e326f177a166c3c1a7e25fc8c2594fac5ac1961af58bb2a5