Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
24-11-2022 23:52
Static task
static1
Behavioral task
behavioral1
Sample
549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690.exe
Resource
win10-20220901-en
General
-
Target
549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690.exe
-
Size
246KB
-
MD5
0ffc57a0b455d613e887e58cced3797e
-
SHA1
10e652967ea3e4140be52f4f7a77f4308e87fe93
-
SHA256
549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690
-
SHA512
9b84aefd4e5bfedeebd734995a829fcc2c89d7cdbd63af66035bdcc8e4a4a20786535f7a77a5aa644682a05548a2075466fb7e1500294d598ef4deeb28b4c6bf
-
SSDEEP
6144:frdmLwvhK59diSwBkSdI1PZTCcpw85P7Nq6:frdmkvha9I61PJpV5U
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Extracted
redline
5139967220
79.137.192.6:8362
Extracted
laplas
79.137.206.137
-
api_key
0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3124-476-0x000000000054972E-mapping.dmp family_redline behavioral1/memory/3124-512-0x0000000000530000-0x000000000054E000-memory.dmp family_redline -
Processes:
1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1.exe -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
rovwer.exe3000.exezzz.exe1.exe1000.exeSmart.exerovwer.exerovwer.exeFRWxXtyVnj.exepid process 4316 rovwer.exe 4560 3000.exe 1964 zzz.exe 1284 1.exe 416 1000.exe 2172 Smart.exe 4840 rovwer.exe 4716 rovwer.exe 4568 FRWxXtyVnj.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" 1.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe upx C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe upx behavioral1/memory/1964-354-0x0000000000220000-0x0000000000A02000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
rovwer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\1000.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000217001\\1000.exe" rovwer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\3000.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000212001\\3000.exe" rovwer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\zzz.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000215001\\zzz.exe" rovwer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000216001\\1.exe" rovwer.exe -
Processes:
1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1.exe1000.exedescription pid process target process PID 1284 set thread context of 3804 1284 1.exe CasPol.exe PID 416 set thread context of 3124 416 1000.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3740 416 WerFault.exe 1000.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5096 schtasks.exe 5068 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 18 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exevbc.exepid process 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 3124 vbc.exe 3124 vbc.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
1.exepid process 1284 1.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
1.exepowershell.exevbc.exedescription pid process Token: SeDebugPrivilege 1284 1.exe Token: SeLoadDriverPrivilege 1284 1.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeIncreaseQuotaPrivilege 1052 powershell.exe Token: SeSecurityPrivilege 1052 powershell.exe Token: SeTakeOwnershipPrivilege 1052 powershell.exe Token: SeLoadDriverPrivilege 1052 powershell.exe Token: SeSystemProfilePrivilege 1052 powershell.exe Token: SeSystemtimePrivilege 1052 powershell.exe Token: SeProfSingleProcessPrivilege 1052 powershell.exe Token: SeIncBasePriorityPrivilege 1052 powershell.exe Token: SeCreatePagefilePrivilege 1052 powershell.exe Token: SeBackupPrivilege 1052 powershell.exe Token: SeRestorePrivilege 1052 powershell.exe Token: SeShutdownPrivilege 1052 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeSystemEnvironmentPrivilege 1052 powershell.exe Token: SeRemoteShutdownPrivilege 1052 powershell.exe Token: SeUndockPrivilege 1052 powershell.exe Token: SeManageVolumePrivilege 1052 powershell.exe Token: 33 1052 powershell.exe Token: 34 1052 powershell.exe Token: 35 1052 powershell.exe Token: 36 1052 powershell.exe Token: SeDebugPrivilege 3124 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690.exerovwer.execmd.exezzz.execmd.exe1.exe1000.exevbc.exeSmart.exedescription pid process target process PID 572 wrote to memory of 4316 572 549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690.exe rovwer.exe PID 572 wrote to memory of 4316 572 549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690.exe rovwer.exe PID 572 wrote to memory of 4316 572 549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690.exe rovwer.exe PID 4316 wrote to memory of 5096 4316 rovwer.exe schtasks.exe PID 4316 wrote to memory of 5096 4316 rovwer.exe schtasks.exe PID 4316 wrote to memory of 5096 4316 rovwer.exe schtasks.exe PID 4316 wrote to memory of 3556 4316 rovwer.exe cmd.exe PID 4316 wrote to memory of 3556 4316 rovwer.exe cmd.exe PID 4316 wrote to memory of 3556 4316 rovwer.exe cmd.exe PID 3556 wrote to memory of 1688 3556 cmd.exe cmd.exe PID 3556 wrote to memory of 1688 3556 cmd.exe cmd.exe PID 3556 wrote to memory of 1688 3556 cmd.exe cmd.exe PID 3556 wrote to memory of 4836 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 4836 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 4836 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 3724 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 3724 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 3724 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 3548 3556 cmd.exe cmd.exe PID 3556 wrote to memory of 3548 3556 cmd.exe cmd.exe PID 3556 wrote to memory of 3548 3556 cmd.exe cmd.exe PID 3556 wrote to memory of 4384 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 4384 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 4384 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 4596 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 4596 3556 cmd.exe cacls.exe PID 3556 wrote to memory of 4596 3556 cmd.exe cacls.exe PID 4316 wrote to memory of 4560 4316 rovwer.exe 3000.exe PID 4316 wrote to memory of 4560 4316 rovwer.exe 3000.exe PID 4316 wrote to memory of 4560 4316 rovwer.exe 3000.exe PID 4316 wrote to memory of 1964 4316 rovwer.exe zzz.exe PID 4316 wrote to memory of 1964 4316 rovwer.exe zzz.exe PID 1964 wrote to memory of 804 1964 zzz.exe cmd.exe PID 1964 wrote to memory of 804 1964 zzz.exe cmd.exe PID 804 wrote to memory of 1152 804 cmd.exe choice.exe PID 804 wrote to memory of 1152 804 cmd.exe choice.exe PID 4316 wrote to memory of 1284 4316 rovwer.exe 1.exe PID 4316 wrote to memory of 1284 4316 rovwer.exe 1.exe PID 1284 wrote to memory of 1052 1284 1.exe powershell.exe PID 1284 wrote to memory of 1052 1284 1.exe powershell.exe PID 4316 wrote to memory of 416 4316 rovwer.exe 1000.exe PID 4316 wrote to memory of 416 4316 rovwer.exe 1000.exe PID 4316 wrote to memory of 416 4316 rovwer.exe 1000.exe PID 1284 wrote to memory of 3804 1284 1.exe CasPol.exe PID 1284 wrote to memory of 3804 1284 1.exe CasPol.exe PID 1284 wrote to memory of 3804 1284 1.exe CasPol.exe PID 1284 wrote to memory of 3804 1284 1.exe CasPol.exe PID 1284 wrote to memory of 3804 1284 1.exe CasPol.exe PID 1284 wrote to memory of 3804 1284 1.exe CasPol.exe PID 1284 wrote to memory of 3804 1284 1.exe CasPol.exe PID 1284 wrote to memory of 3804 1284 1.exe CasPol.exe PID 1284 wrote to memory of 3804 1284 1.exe CasPol.exe PID 1284 wrote to memory of 3804 1284 1.exe CasPol.exe PID 416 wrote to memory of 3124 416 1000.exe vbc.exe PID 416 wrote to memory of 3124 416 1000.exe vbc.exe PID 416 wrote to memory of 3124 416 1000.exe vbc.exe PID 416 wrote to memory of 3124 416 1000.exe vbc.exe PID 416 wrote to memory of 3124 416 1000.exe vbc.exe PID 3124 wrote to memory of 2172 3124 vbc.exe Smart.exe PID 3124 wrote to memory of 2172 3124 vbc.exe Smart.exe PID 3124 wrote to memory of 2172 3124 vbc.exe Smart.exe PID 2172 wrote to memory of 2268 2172 Smart.exe cmd.exe PID 2172 wrote to memory of 2268 2172 Smart.exe cmd.exe PID 2172 wrote to memory of 2268 2172 Smart.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
1.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690.exe"C:\Users\Admin\AppData\Local\Temp\549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
PID:5096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1688
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵PID:4836
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵PID:3724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:3548
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵PID:4384
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\1000212001\3000.exe"C:\Users\Admin\AppData\Local\Temp\1000212001\3000.exe"3⤵
- Executes dropped EXE
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe"C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\1000215001\zzz.exe4⤵
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵PID:1152
-
C:\Users\Admin\AppData\Local\Temp\1000216001\1.exe"C:\Users\Admin\AppData\Local\Temp\1000216001\1.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Sets service image path in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1284 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000216001\1.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\1000217001\1000.exe"C:\Users\Admin\AppData\Local\Temp\1000217001\1000.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\Smart.exe"C:\Users\Admin\AppData\Local\Temp\Smart.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.execmd.exe /C schtasks /create /tn RYplbyBDUW /tr C:\Users\Admin\AppData\Roaming\RYplbyBDUW\FRWxXtyVnj.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f6⤵PID:2268
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn RYplbyBDUW /tr C:\Users\Admin\AppData\Roaming\RYplbyBDUW\FRWxXtyVnj.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f7⤵
- Creates scheduled task(s)
PID:5068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 3364⤵
- Program crash
PID:3740
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
PID:4840
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
PID:4716
-
C:\Users\Admin\AppData\Roaming\RYplbyBDUW\FRWxXtyVnj.exeC:\Users\Admin\AppData\Roaming\RYplbyBDUW\FRWxXtyVnj.exe1⤵
- Executes dropped EXE
PID:4568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD577181eb9385b899f4bce3387a2efe18c
SHA168488c2d2aae96c6f552bcddb81e198b0390312a
SHA256e18597f8343d2752ecfea69c4615ea58f37d948ee5d0741791410fb2a4827b1b
SHA5123d034f0b238ad5da850d38f3f247693415ca1773aab84f25c32d500864d7a11b8385d2c5da45a19950c5cdad9664963af85ae13d48da7fceee895d847f94eeb9
-
Filesize
2.4MB
MD5e289e55c96e8c077a682aa0530841161
SHA1d5154044ff465fa535955c857118b59124c85547
SHA256a9e18560e367a43b940ba8ff800dc6eb77c44d03ebc9e1686d0f2e8e5496814a
SHA512a9a33b18c30a0016b7d2d5818c9922afa31e79e6783021dfa838672c7900b22a8b9041df6b0847a54e39b40fb7e62b2c341de64b140b24d54c0cb41a49301eaf
-
Filesize
2.4MB
MD5e289e55c96e8c077a682aa0530841161
SHA1d5154044ff465fa535955c857118b59124c85547
SHA256a9e18560e367a43b940ba8ff800dc6eb77c44d03ebc9e1686d0f2e8e5496814a
SHA512a9a33b18c30a0016b7d2d5818c9922afa31e79e6783021dfa838672c7900b22a8b9041df6b0847a54e39b40fb7e62b2c341de64b140b24d54c0cb41a49301eaf
-
Filesize
485KB
MD5197cc0b311afc440dd150387e68bf49f
SHA178434666b854de78dfbfb253e66644865d324586
SHA256d0f5a3be9ab80e06600ffcb13d897f325b7c8737b895223b3b7e03ecc79abbca
SHA51293e805b0956a69a2f9bcabd059bafef689a82aa8654a71bf56d9834db9a5d1904aca34178e02b47f85b6bbac3b4430209dc989071e50c1d63c152daeb5052fed
-
Filesize
485KB
MD5197cc0b311afc440dd150387e68bf49f
SHA178434666b854de78dfbfb253e66644865d324586
SHA256d0f5a3be9ab80e06600ffcb13d897f325b7c8737b895223b3b7e03ecc79abbca
SHA51293e805b0956a69a2f9bcabd059bafef689a82aa8654a71bf56d9834db9a5d1904aca34178e02b47f85b6bbac3b4430209dc989071e50c1d63c152daeb5052fed
-
Filesize
182KB
MD575e4e9080625c45150fb0c729677203e
SHA1c31559bf53e9be7501c6fcad32ad29368d514e7d
SHA256081efe08a54211147b7fb7f7dafba081da5ca5c0902f741003c4e4374e773869
SHA512fcb0e13c5e3e1bf54dcb22470fc83097dffffd191e6f112595e0338b0a9f33dd45feb774a94dc8a00f35c09970d671a057ff5bd646541872abe8f26aa791bcbe
-
Filesize
182KB
MD575e4e9080625c45150fb0c729677203e
SHA1c31559bf53e9be7501c6fcad32ad29368d514e7d
SHA256081efe08a54211147b7fb7f7dafba081da5ca5c0902f741003c4e4374e773869
SHA512fcb0e13c5e3e1bf54dcb22470fc83097dffffd191e6f112595e0338b0a9f33dd45feb774a94dc8a00f35c09970d671a057ff5bd646541872abe8f26aa791bcbe
-
Filesize
246KB
MD50ffc57a0b455d613e887e58cced3797e
SHA110e652967ea3e4140be52f4f7a77f4308e87fe93
SHA256549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690
SHA5129b84aefd4e5bfedeebd734995a829fcc2c89d7cdbd63af66035bdcc8e4a4a20786535f7a77a5aa644682a05548a2075466fb7e1500294d598ef4deeb28b4c6bf
-
Filesize
246KB
MD50ffc57a0b455d613e887e58cced3797e
SHA110e652967ea3e4140be52f4f7a77f4308e87fe93
SHA256549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690
SHA5129b84aefd4e5bfedeebd734995a829fcc2c89d7cdbd63af66035bdcc8e4a4a20786535f7a77a5aa644682a05548a2075466fb7e1500294d598ef4deeb28b4c6bf
-
Filesize
246KB
MD50ffc57a0b455d613e887e58cced3797e
SHA110e652967ea3e4140be52f4f7a77f4308e87fe93
SHA256549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690
SHA5129b84aefd4e5bfedeebd734995a829fcc2c89d7cdbd63af66035bdcc8e4a4a20786535f7a77a5aa644682a05548a2075466fb7e1500294d598ef4deeb28b4c6bf
-
Filesize
246KB
MD50ffc57a0b455d613e887e58cced3797e
SHA110e652967ea3e4140be52f4f7a77f4308e87fe93
SHA256549c9e7ffa89e87dcce9be1c0c0f6c5e119de15daf142d53327d15ba91607690
SHA5129b84aefd4e5bfedeebd734995a829fcc2c89d7cdbd63af66035bdcc8e4a4a20786535f7a77a5aa644682a05548a2075466fb7e1500294d598ef4deeb28b4c6bf
-
Filesize
4.6MB
MD521f79006cf7560986de8ec8a60998894
SHA1b4e170268721f7ddfb33c2cb5af3f953a0f16278
SHA2563c39c19a17c68b76ab916e85cc9d7a2e24525f4099a6d258f28dd27353febd25
SHA512f794f98972f9a7ee2cf5ee9541db8f83d6670cea95289dd8f55a52d576b2fdce58136d21b85f278ca28e545c522efecaea6529736ca89e62f8f596bd102f5615
-
Filesize
4.6MB
MD521f79006cf7560986de8ec8a60998894
SHA1b4e170268721f7ddfb33c2cb5af3f953a0f16278
SHA2563c39c19a17c68b76ab916e85cc9d7a2e24525f4099a6d258f28dd27353febd25
SHA512f794f98972f9a7ee2cf5ee9541db8f83d6670cea95289dd8f55a52d576b2fdce58136d21b85f278ca28e545c522efecaea6529736ca89e62f8f596bd102f5615
-
Filesize
142.4MB
MD5493382ba22cf65963b923742f4d6e21e
SHA19a82698c3ceaa3aa4784894ae4cf0bf926675103
SHA2566a7f3534acf80ad76df4b2fccf0eb14a9b7017d9858d723601c71b412fb7a687
SHA51207a5bfa08a571b7872731e5e7b8109e2a99178034c80b20091e560947cb577913c2b3bd3a2f44c8c9848e213e992fda98a83bbacb2b3c060a9223bc193a80a33
-
Filesize
142.8MB
MD5c509a98c2045ba79acbe30e9210bc9e0
SHA1557d7d013ff47d98034fa76d8404bd976fb07c7d
SHA256ca7d894d2bc4b65d32bb754de5986165ab54a68e6faf244f4c49d58576118dc8
SHA512dd3ec646bcdb315960932c98b6638c090073521abff584eeffcfa556a1d78f1f688b17fe30c8bdc56e872a3dc503be33093e368bb297b6124591134e8de403b2