Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2022, 13:55
Static task
static1
Behavioral task
behavioral1
Sample
5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
Resource
win10v2004-20220812-en
General
-
Target
5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
-
Size
186KB
-
MD5
98e9926dc94f2e19a162caa2f69c0923
-
SHA1
b5780ca5951d762f73b3df1ec77f6b0b13aeb970
-
SHA256
5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361
-
SHA512
c966e8f8502d8311e0f6b8c4d5fc14285a05f416889389cd1378e03ccf4118c1e39fdcfd018b7e8bec8204374201e31733d8bbdaff733c511302b1b448be2d1f
-
SSDEEP
3072:1lYYMWAkYsG5y3j6/XwSYcLpsGPqqi3zfSDAbEaqd:OkYsj3j6YSYcLKGPqrjf3Ea0
Malware Config
Extracted
amadey
3.50
62.204.41.252/nB8cWack3/index.php
Extracted
redline
@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)
151.80.89.233:13553
-
auth_value
fbee175162920530e6bf470c8003fa1a
Extracted
redline
Lege
31.41.244.14:4694
-
auth_value
096090aaf3ba0872338140cec5689868
Signatures
-
Detect Amadey credential stealer module 4 IoCs
resource yara_rule behavioral1/files/0x000600000001e2b0-236.dat amadey_cred_module behavioral1/memory/4448-239-0x0000000000630000-0x0000000000654000-memory.dmp amadey_cred_module behavioral1/files/0x000600000001e2b0-238.dat amadey_cred_module behavioral1/files/0x000600000001e2b0-237.dat amadey_cred_module -
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/2736-133-0x00000000005B0000-0x00000000005B9000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral1/files/0x0008000000022f76-189.dat family_redline behavioral1/files/0x0008000000022f76-190.dat family_redline behavioral1/memory/5088-194-0x00000000003B0000-0x00000000003D8000-memory.dmp family_redline behavioral1/files/0x000200000001e78c-206.dat family_redline behavioral1/files/0x000200000001e78c-205.dat family_redline behavioral1/memory/4084-207-0x0000000000660000-0x0000000000688000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 84 4448 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
pid Process 4976 51F8.exe 2264 59D9.exe 3588 619A.exe 4900 gntuud.exe 5088 40K.exe 4084 Lege.exe 2180 linda5.exe 3812 gntuud.exe 3948 gntuud.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation linda5.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 51F8.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation gntuud.exe -
Loads dropped DLL 4 IoCs
pid Process 1244 msiexec.exe 1244 msiexec.exe 4448 rundll32.exe 4448 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40K.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000025001\\40K.exe" gntuud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lege.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000026001\\Lege.exe" gntuud.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000027001\\linda5.exe" gntuud.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2264 set thread context of 5000 2264 59D9.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
pid pid_target Process procid_target 3268 3588 WerFault.exe 87 4212 2264 WerFault.exe 85 3000 4976 WerFault.exe 79 4988 3812 WerFault.exe 116 1148 3948 WerFault.exe 120 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3556 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2736 5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe 2736 5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3068 Process not Found -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 2736 5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found 3068 Process not Found -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeDebugPrivilege 5088 40K.exe Token: SeDebugPrivilege 4084 Lege.exe Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found Token: SeShutdownPrivilege 3068 Process not Found Token: SeCreatePagefilePrivilege 3068 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 4976 3068 Process not Found 79 PID 3068 wrote to memory of 4976 3068 Process not Found 79 PID 3068 wrote to memory of 4976 3068 Process not Found 79 PID 3068 wrote to memory of 2264 3068 Process not Found 85 PID 3068 wrote to memory of 2264 3068 Process not Found 85 PID 3068 wrote to memory of 2264 3068 Process not Found 85 PID 3068 wrote to memory of 3588 3068 Process not Found 87 PID 3068 wrote to memory of 3588 3068 Process not Found 87 PID 3068 wrote to memory of 3588 3068 Process not Found 87 PID 3068 wrote to memory of 4176 3068 Process not Found 90 PID 3068 wrote to memory of 4176 3068 Process not Found 90 PID 3068 wrote to memory of 4176 3068 Process not Found 90 PID 3068 wrote to memory of 4176 3068 Process not Found 90 PID 3068 wrote to memory of 2164 3068 Process not Found 92 PID 3068 wrote to memory of 2164 3068 Process not Found 92 PID 3068 wrote to memory of 2164 3068 Process not Found 92 PID 2264 wrote to memory of 5000 2264 59D9.exe 93 PID 2264 wrote to memory of 5000 2264 59D9.exe 93 PID 2264 wrote to memory of 5000 2264 59D9.exe 93 PID 2264 wrote to memory of 5000 2264 59D9.exe 93 PID 3068 wrote to memory of 4780 3068 Process not Found 94 PID 3068 wrote to memory of 4780 3068 Process not Found 94 PID 3068 wrote to memory of 4780 3068 Process not Found 94 PID 3068 wrote to memory of 4780 3068 Process not Found 94 PID 2264 wrote to memory of 5000 2264 59D9.exe 93 PID 3068 wrote to memory of 1788 3068 Process not Found 98 PID 3068 wrote to memory of 1788 3068 Process not Found 98 PID 3068 wrote to memory of 1788 3068 Process not Found 98 PID 4976 wrote to memory of 4900 4976 51F8.exe 99 PID 4976 wrote to memory of 4900 4976 51F8.exe 99 PID 4976 wrote to memory of 4900 4976 51F8.exe 99 PID 3068 wrote to memory of 3804 3068 Process not Found 102 PID 3068 wrote to memory of 3804 3068 Process not Found 102 PID 3068 wrote to memory of 3804 3068 Process not Found 102 PID 3068 wrote to memory of 3804 3068 Process not Found 102 PID 4900 wrote to memory of 3556 4900 gntuud.exe 103 PID 4900 wrote to memory of 3556 4900 gntuud.exe 103 PID 4900 wrote to memory of 3556 4900 gntuud.exe 103 PID 3068 wrote to memory of 5024 3068 Process not Found 105 PID 3068 wrote to memory of 5024 3068 Process not Found 105 PID 3068 wrote to memory of 5024 3068 Process not Found 105 PID 3068 wrote to memory of 5024 3068 Process not Found 105 PID 3068 wrote to memory of 1808 3068 Process not Found 108 PID 3068 wrote to memory of 1808 3068 Process not Found 108 PID 3068 wrote to memory of 1808 3068 Process not Found 108 PID 3068 wrote to memory of 1808 3068 Process not Found 108 PID 4900 wrote to memory of 5088 4900 gntuud.exe 109 PID 4900 wrote to memory of 5088 4900 gntuud.exe 109 PID 4900 wrote to memory of 5088 4900 gntuud.exe 109 PID 3068 wrote to memory of 2124 3068 Process not Found 110 PID 3068 wrote to memory of 2124 3068 Process not Found 110 PID 3068 wrote to memory of 2124 3068 Process not Found 110 PID 3068 wrote to memory of 2480 3068 Process not Found 111 PID 3068 wrote to memory of 2480 3068 Process not Found 111 PID 3068 wrote to memory of 2480 3068 Process not Found 111 PID 3068 wrote to memory of 2480 3068 Process not Found 111 PID 4900 wrote to memory of 4084 4900 gntuud.exe 112 PID 4900 wrote to memory of 4084 4900 gntuud.exe 112 PID 4900 wrote to memory of 4084 4900 gntuud.exe 112 PID 4900 wrote to memory of 2180 4900 gntuud.exe 113 PID 4900 wrote to memory of 2180 4900 gntuud.exe 113 PID 4900 wrote to memory of 2180 4900 gntuud.exe 113 PID 2180 wrote to memory of 1244 2180 linda5.exe 114 PID 2180 wrote to memory of 1244 2180 linda5.exe 114 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe"C:\Users\Admin\AppData\Local\Temp\5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2736
-
C:\Users\Admin\AppData\Local\Temp\51F8.exeC:\Users\Admin\AppData\Local\Temp\51F8.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
PID:3556
-
-
C:\Users\Admin\AppData\Local\Temp\1000025001\40K.exe"C:\Users\Admin\AppData\Local\Temp\1000025001\40K.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\1000026001\Lege.exe"C:\Users\Admin\AppData\Local\Temp\1000026001\Lege.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\1000027001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000027001\linda5.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\PtU1.AM4⤵
- Loads dropped DLL
PID:1244
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:4448
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 8922⤵
- Program crash
PID:3000
-
-
C:\Users\Admin\AppData\Local\Temp\59D9.exeC:\Users\Admin\AppData\Local\Temp\59D9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:5000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 2402⤵
- Program crash
PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\619A.exeC:\Users\Admin\AppData\Local\Temp\619A.exe1⤵
- Executes dropped EXE
PID:3588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 2882⤵
- Program crash
PID:3268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3588 -ip 35881⤵PID:3316
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4176
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2164
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2264 -ip 22641⤵PID:4596
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1788
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4976 -ip 49761⤵PID:3468
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3804
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:5024
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1808
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2124
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 4162⤵
- Program crash
PID:4988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3812 -ip 38121⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 4162⤵
- Program crash
PID:1148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3948 -ip 39481⤵PID:1912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD587ef06885fd221a86bba9e5b86a7ea7d
SHA16644db86f2d557167f442a5fe72a82de3fe943ba
SHA256ab5026bf6fe5d692faaf86752b4c9fa226ec49ba54cfb625579287b498eab20f
SHA512c65b38856d4995b01454754044ae7373363a02b8e228c249fee3c1c2222f2348473f0bba5a5f2e4a280cd183e57dc13423bb09f86919ccb8968c8229310c5ad0
-
Filesize
137KB
MD587ef06885fd221a86bba9e5b86a7ea7d
SHA16644db86f2d557167f442a5fe72a82de3fe943ba
SHA256ab5026bf6fe5d692faaf86752b4c9fa226ec49ba54cfb625579287b498eab20f
SHA512c65b38856d4995b01454754044ae7373363a02b8e228c249fee3c1c2222f2348473f0bba5a5f2e4a280cd183e57dc13423bb09f86919ccb8968c8229310c5ad0
-
Filesize
137KB
MD50a793a6b9941c49675a47a2bc91cb420
SHA1ff051cc2d9cf081e863f5bb8c3d2449c28f12c7f
SHA2563bb977fda504647a2f21a19b67c3edf91ea1eb35166258164eb89b8ae1603c60
SHA512fd695f62ef32f79f3b4e5c57c68056b004355d5a16e6558bfb310f8ded03c837fe5f505f5a4f433a740fa0b980a71962571c3dd4ed86d95146a22f126850dc36
-
Filesize
137KB
MD50a793a6b9941c49675a47a2bc91cb420
SHA1ff051cc2d9cf081e863f5bb8c3d2449c28f12c7f
SHA2563bb977fda504647a2f21a19b67c3edf91ea1eb35166258164eb89b8ae1603c60
SHA512fd695f62ef32f79f3b4e5c57c68056b004355d5a16e6558bfb310f8ded03c837fe5f505f5a4f433a740fa0b980a71962571c3dd4ed86d95146a22f126850dc36
-
Filesize
1.6MB
MD5bcf73a95d7cff6a563a899d1f7d8c0b0
SHA182bd1029a51a67d8b569cc48808ebb714a22748b
SHA256ffee0c4fbb5e0dd85bed62198229736f95517dc3a72a307083a4d35b31e57ed4
SHA51250c3499fd3bbebcb31f180f11fb8722114f6768be3ad688ae045f9e5e63ad78e99054f01df2865854087c2d2f432cb61598cd4bf816289eb82791c2a9dbde591
-
Filesize
1.6MB
MD5bcf73a95d7cff6a563a899d1f7d8c0b0
SHA182bd1029a51a67d8b569cc48808ebb714a22748b
SHA256ffee0c4fbb5e0dd85bed62198229736f95517dc3a72a307083a4d35b31e57ed4
SHA51250c3499fd3bbebcb31f180f11fb8722114f6768be3ad688ae045f9e5e63ad78e99054f01df2865854087c2d2f432cb61598cd4bf816289eb82791c2a9dbde591
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
4.6MB
MD5c6ded8762cdd4b6dfd1786a86dd14527
SHA1fad44e357fca7c944fef59f75ecb33f2a0737d53
SHA2567b58f4a4d1f500506201a5e4c0f5842351caf8070863999d8166684786ffc0cb
SHA51200e2a36bf88283f9c560e9c55e40ac2779922b02cb6dcfb84f3df56ff82f9a779fb1c04f3ad009a5049773d27e8baefa137bd653266461409ec3733483fe38dd
-
Filesize
4.6MB
MD5c6ded8762cdd4b6dfd1786a86dd14527
SHA1fad44e357fca7c944fef59f75ecb33f2a0737d53
SHA2567b58f4a4d1f500506201a5e4c0f5842351caf8070863999d8166684786ffc0cb
SHA51200e2a36bf88283f9c560e9c55e40ac2779922b02cb6dcfb84f3df56ff82f9a779fb1c04f3ad009a5049773d27e8baefa137bd653266461409ec3733483fe38dd
-
Filesize
1.2MB
MD5d21c0fcfdc6a04825225418b294160cc
SHA17566a4019ae9792de349c9b2482aa04091b48df4
SHA2561eff9b58c3850c4e75b20b622255c04c994c11c2f4da649ec0815058e5bb765c
SHA5121ee892f0eba2dd2a55b4bd4f80fd290ed9146306dd17d2e91165972a59870300d7ebfa73a445b8927c83730f86849889f978e7ac0497433aff896f1a5a62b97b
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
244KB
MD50953f9309090c246bfebc27755e19196
SHA13fe53ec55cec66f59c27fc667bafe55fb84e9c2b
SHA2565a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568
SHA5129fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16
-
Filesize
1.5MB
MD549ad213d3e2f304c2170118fab55cc54
SHA14c8ceac0d9bd32611ed8b3f5dca85f451911e7fb
SHA25611c0c4f797a4a1459fc2bcf9d9dc55f1c0c3a0bb7d66738333d5132c1cf910ff
SHA512562c420119c8c42d9d5590e2106b340a44279b6d0f07eb19573fa6e3d466d7824ba83eb8a34da6c1dc6912bd0f8350dcdd5fe88ffcef2a1ae8d319e76094ce43
-
Filesize
1.5MB
MD549ad213d3e2f304c2170118fab55cc54
SHA14c8ceac0d9bd32611ed8b3f5dca85f451911e7fb
SHA25611c0c4f797a4a1459fc2bcf9d9dc55f1c0c3a0bb7d66738333d5132c1cf910ff
SHA512562c420119c8c42d9d5590e2106b340a44279b6d0f07eb19573fa6e3d466d7824ba83eb8a34da6c1dc6912bd0f8350dcdd5fe88ffcef2a1ae8d319e76094ce43
-
Filesize
1.5MB
MD549ad213d3e2f304c2170118fab55cc54
SHA14c8ceac0d9bd32611ed8b3f5dca85f451911e7fb
SHA25611c0c4f797a4a1459fc2bcf9d9dc55f1c0c3a0bb7d66738333d5132c1cf910ff
SHA512562c420119c8c42d9d5590e2106b340a44279b6d0f07eb19573fa6e3d466d7824ba83eb8a34da6c1dc6912bd0f8350dcdd5fe88ffcef2a1ae8d319e76094ce43
-
Filesize
126KB
MD5d3cb6267ee9076d5aef4a2dbe0d815c8
SHA1840218680463914d50509ed6d7858e328fc8a54c
SHA256fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689
SHA5124c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a
-
Filesize
126KB
MD5d3cb6267ee9076d5aef4a2dbe0d815c8
SHA1840218680463914d50509ed6d7858e328fc8a54c
SHA256fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689
SHA5124c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a
-
Filesize
126KB
MD5d3cb6267ee9076d5aef4a2dbe0d815c8
SHA1840218680463914d50509ed6d7858e328fc8a54c
SHA256fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689
SHA5124c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a