Analysis
-
max time kernel
30s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
08/12/2023, 16:34
Static task
static1
Behavioral task
behavioral1
Sample
4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe
Resource
win10v2004-20231130-en
General
-
Target
4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe
-
Size
238KB
-
MD5
76c1e36d3b39338ea1757dfab1ea3cc8
-
SHA1
08884dbfe52986b407af311a349e3e45345242e9
-
SHA256
4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124
-
SHA512
f4b7a858f9685cd23a9e4c509f88a0cb7f262609c8fc50930455827d8b2576dd40492e2cfaf247cf5f7b1b3342aa023544b022431c09911f3d1a5bc0b1a30832
-
SSDEEP
3072:uf0S/UGn9oZ1/yMjl+ACawid5D/dR9m3oGiWHqTCK:NsU7Z16MgcHdFJm3BHqT
Malware Config
Extracted
smokeloader
pu10
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.nbzi
-
offline_id
csCsb6cUvy0iMa6NgGCGH0hSfXQlGjZVEmFVkgt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-8dGJ2tqlOd Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0832ASdw
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect ZGRat V1 24 IoCs
resource yara_rule behavioral1/memory/3956-96-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-100-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-108-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-116-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-126-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-134-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-132-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-130-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-128-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-124-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-122-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-120-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-118-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-114-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-112-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-110-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-106-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-104-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-102-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-98-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-94-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-92-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-91-0x0000015A30180000-0x0000015A30260000-memory.dmp family_zgrat_v1 behavioral1/memory/3956-88-0x0000015A30180000-0x0000015A30264000-memory.dmp family_zgrat_v1 -
Detected Djvu ransomware 10 IoCs
resource yara_rule behavioral1/memory/2084-44-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2084-48-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3408-47-0x00000000025C0000-0x00000000026DB000-memory.dmp family_djvu behavioral1/memory/2084-49-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2084-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2084-60-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4048-66-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4048-69-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/4048-67-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3792-65-0x0000000002530000-0x00000000025C9000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ A038.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion A038.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion A038.exe -
Deletes itself 1 IoCs
pid Process 3164 Process not Found -
Executes dropped EXE 3 IoCs
pid Process 1612 A038.exe 3408 AFCA.exe 2084 AFCA.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4220 icacls.exe -
resource yara_rule behavioral1/files/0x0007000000023302-20.dat themida behavioral1/files/0x0007000000023302-19.dat themida behavioral1/memory/1612-30-0x00000000003D0000-0x0000000000E9A000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\25111b4e-3e11-490e-8473-ed0f6cb06d72\\AFCA.exe\" --AutoStart" AFCA.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA A038.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1612 A038.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4756 set thread context of 436 4756 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe 89 PID 3408 set thread context of 2084 3408 AFCA.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3832 436 WerFault.exe 89 956 4048 WerFault.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4704 schtasks.exe 4816 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 436 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe 436 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 436 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4756 wrote to memory of 436 4756 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe 89 PID 4756 wrote to memory of 436 4756 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe 89 PID 4756 wrote to memory of 436 4756 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe 89 PID 4756 wrote to memory of 436 4756 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe 89 PID 4756 wrote to memory of 436 4756 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe 89 PID 4756 wrote to memory of 436 4756 4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe 89 PID 3164 wrote to memory of 1160 3164 Process not Found 107 PID 3164 wrote to memory of 1160 3164 Process not Found 107 PID 1160 wrote to memory of 2336 1160 cmd.exe 109 PID 1160 wrote to memory of 2336 1160 cmd.exe 109 PID 3164 wrote to memory of 1612 3164 Process not Found 110 PID 3164 wrote to memory of 1612 3164 Process not Found 110 PID 3164 wrote to memory of 1612 3164 Process not Found 110 PID 3164 wrote to memory of 3408 3164 Process not Found 111 PID 3164 wrote to memory of 3408 3164 Process not Found 111 PID 3164 wrote to memory of 3408 3164 Process not Found 111 PID 3408 wrote to memory of 2084 3408 AFCA.exe 112 PID 3408 wrote to memory of 2084 3408 AFCA.exe 112 PID 3408 wrote to memory of 2084 3408 AFCA.exe 112 PID 3408 wrote to memory of 2084 3408 AFCA.exe 112 PID 3408 wrote to memory of 2084 3408 AFCA.exe 112 PID 3408 wrote to memory of 2084 3408 AFCA.exe 112 PID 3408 wrote to memory of 2084 3408 AFCA.exe 112 PID 3408 wrote to memory of 2084 3408 AFCA.exe 112 PID 3408 wrote to memory of 2084 3408 AFCA.exe 112 PID 3408 wrote to memory of 2084 3408 AFCA.exe 112 PID 2084 wrote to memory of 4220 2084 AFCA.exe 114 PID 2084 wrote to memory of 4220 2084 AFCA.exe 114 PID 2084 wrote to memory of 4220 2084 AFCA.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe"C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe"C:\Users\Admin\AppData\Local\Temp\4254980fa3fa11487087f6ff8cd480ab8f22c7d85a8ac5759119f28c9e9bc124.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 3283⤵
- Program crash
PID:3832
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 436 -ip 4361⤵PID:3252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\956A.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\B9CD.exeC:\Users\Admin\AppData\Local\Temp\B9CD.exe2⤵PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\A038.exeC:\Users\Admin\AppData\Local\Temp\A038.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1612
-
C:\Users\Admin\AppData\Local\Temp\AFCA.exeC:\Users\Admin\AppData\Local\Temp\AFCA.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\AFCA.exeC:\Users\Admin\AppData\Local\Temp\AFCA.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\25111b4e-3e11-490e-8473-ed0f6cb06d72" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:4220
-
-
C:\Users\Admin\AppData\Local\Temp\AFCA.exe"C:\Users\Admin\AppData\Local\Temp\AFCA.exe" --Admin IsNotAutoStart IsNotTask3⤵PID:3792
-
C:\Users\Admin\AppData\Local\Temp\AFCA.exe"C:\Users\Admin\AppData\Local\Temp\AFCA.exe" --Admin IsNotAutoStart IsNotTask4⤵PID:4048
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4048 -ip 40481⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 5681⤵
- Program crash
PID:956
-
C:\Users\Admin\AppData\Local\Temp\B9CD.exeC:\Users\Admin\AppData\Local\Temp\B9CD.exe1⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\C2F6.exeC:\Users\Admin\AppData\Local\Temp\C2F6.exe1⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ua9jq80.exe2⤵PID:3180
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ox5vF85.exe3⤵PID:4868
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4VT837IJ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4VT837IJ.exe4⤵PID:3176
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1WL95iE1.exe1⤵PID:2116
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3160
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2512
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4704
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4816
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gb6wn24.exe1⤵PID:324
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3MO51Qy.exe2⤵PID:2264
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:3804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5000
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD589d41e1cf478a3d3c2c701a27a5692b2
SHA1691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA5125c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc
-
Filesize
737KB
MD502ed1045d708d2fb13a1d1051f5de42a
SHA15aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA25640dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA5128b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9
-
Filesize
1KB
MD59f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1de83788e2f18629555c42a3e6fada12f70457141
SHA256d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA51286cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
4.6MB
MD5a3dea4c1f895c2729505cb4712ad469d
SHA1fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA5129da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4
-
Filesize
4.6MB
MD5a3dea4c1f895c2729505cb4712ad469d
SHA1fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA5129da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4
-
Filesize
737KB
MD502ed1045d708d2fb13a1d1051f5de42a
SHA15aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA25640dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA5128b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9
-
Filesize
737KB
MD502ed1045d708d2fb13a1d1051f5de42a
SHA15aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA25640dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA5128b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9
-
Filesize
737KB
MD502ed1045d708d2fb13a1d1051f5de42a
SHA15aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA25640dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA5128b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9
-
Filesize
737KB
MD502ed1045d708d2fb13a1d1051f5de42a
SHA15aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA25640dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA5128b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9
-
Filesize
737KB
MD502ed1045d708d2fb13a1d1051f5de42a
SHA15aec30f57c3f3ddfa951bfeeafcd96f0675020c3
SHA25640dd4f43d1e66d30a632ac94ad282d748a2c9a96ee0684b94ea4c2bdc3e5eff7
SHA5128b79413dbdb880e5010de9cb32637c651dc85233dd5e3cb308e35f96cfb7609d8c460e186dc41e2493498b11ce56c49b3201670df83f6f95cc5c7a9c55c252e9
-
Filesize
1.3MB
MD57f5108b2158d537f11fd88886c1c047c
SHA1c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1
-
Filesize
1.3MB
MD57f5108b2158d537f11fd88886c1c047c
SHA1c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1
-
Filesize
1.3MB
MD57f5108b2158d537f11fd88886c1c047c
SHA1c8249dc7ccf26b99cf1fa8b17e8334f7a27ce883
SHA256da5406c85fcfa394d19d96f77a175539058119cbb86159ca57adcdf79d426ca8
SHA512b07e144e83bdebf4ec2e0227cc9fe40c9d6655776114a3bdc3d82cf935999c46ca2dbfa8cb6d421dfe958eb92a053845e0bffdb1bf42593096d084c04ae60cc1
-
Filesize
2.3MB
MD5513aa632bf7aa2516aabe52119a2abbe
SHA1e67c64f74897bf65f6b2c89eddb835abe5c710a0
SHA25627ec70986dd54439fe713e03a2a01bf9f0f4274f6edc184979d612959f26755c
SHA51243785c631776acd005493e05cb197e0c9916d62410fbc848f153af051da5bab80678fcb703631f7e6f8c8d991ed0b00be10834dd2fa0be095a924afd2c5e4619
-
Filesize
2.3MB
MD5513aa632bf7aa2516aabe52119a2abbe
SHA1e67c64f74897bf65f6b2c89eddb835abe5c710a0
SHA25627ec70986dd54439fe713e03a2a01bf9f0f4274f6edc184979d612959f26755c
SHA51243785c631776acd005493e05cb197e0c9916d62410fbc848f153af051da5bab80678fcb703631f7e6f8c8d991ed0b00be10834dd2fa0be095a924afd2c5e4619
-
Filesize
1.8MB
MD51b7d97ddffcc642acb8afdb3ee8e7a67
SHA1f5fdaf01bcba97776866453ae942935d053cc5b2
SHA256ee56bdd61a3de39c1fc560eb8d6139132f1f30594d6cb052fd96c6a3170f6a80
SHA512832a70f7e119c0c7c2df42d8d772f75b0aa1e3132299a10e85f768bc0d557b9cc005d6f5ffe3e3aa4b2e6563b78a633b8dafb11c57ff8a93d4c74db36afe9c7f
-
Filesize
1.8MB
MD51b7d97ddffcc642acb8afdb3ee8e7a67
SHA1f5fdaf01bcba97776866453ae942935d053cc5b2
SHA256ee56bdd61a3de39c1fc560eb8d6139132f1f30594d6cb052fd96c6a3170f6a80
SHA512832a70f7e119c0c7c2df42d8d772f75b0aa1e3132299a10e85f768bc0d557b9cc005d6f5ffe3e3aa4b2e6563b78a633b8dafb11c57ff8a93d4c74db36afe9c7f
-
Filesize
1.6MB
MD5f5e9e33bef789205e7d531fce3966042
SHA147f429e262d4374f9081bf4c743823748e8dabc6
SHA25600aeed35b42ae52c679041df5bbf7762e9bb07b048ce68c56ed8b082ba645669
SHA5126e2c4fbbafe99d4d8b18d912fcd19681d3828763a7d3a692725b59e7e028a6ea669d14ae475d7d7476eb4206ab8c3fae2d38f096d7a33152efcaa614b62fedd3
-
Filesize
1.6MB
MD5f5e9e33bef789205e7d531fce3966042
SHA147f429e262d4374f9081bf4c743823748e8dabc6
SHA25600aeed35b42ae52c679041df5bbf7762e9bb07b048ce68c56ed8b082ba645669
SHA5126e2c4fbbafe99d4d8b18d912fcd19681d3828763a7d3a692725b59e7e028a6ea669d14ae475d7d7476eb4206ab8c3fae2d38f096d7a33152efcaa614b62fedd3
-
Filesize
935KB
MD598efc21960f30d2137e7bf23232cd1a4
SHA11cd24234ce828ad84f5f6d631185b951360395f5
SHA256166e336b946a0df62a832e5f15abf7e14f7fc15de71a8a6fd29186216b4631ec
SHA512b58306e5a36ec23d3850f10980a6e796f57851fb2b68001ea38e567a01bedaf0a667db23bf3550d0995a8fd6cd23aa48c4df85de57d9bfb2d0c85201a5e59f70
-
Filesize
935KB
MD598efc21960f30d2137e7bf23232cd1a4
SHA11cd24234ce828ad84f5f6d631185b951360395f5
SHA256166e336b946a0df62a832e5f15abf7e14f7fc15de71a8a6fd29186216b4631ec
SHA512b58306e5a36ec23d3850f10980a6e796f57851fb2b68001ea38e567a01bedaf0a667db23bf3550d0995a8fd6cd23aa48c4df85de57d9bfb2d0c85201a5e59f70
-
Filesize
1.8MB
MD5fa2d7fd895f22a69c0357cad768e575e
SHA10946228fa05c06686152edee6bbbce886da8fff6
SHA256480daf6a907f8bfe16817d341b02bb03fde670bf140e54527cee08ac4c483828
SHA51237d6531882e2a6c898d0aca4838d896676c40d089ce513cdc5946cc76661e2347e14848ed3f637eb3d80bfa444440b2077cbd67a8fc18416c804b937c0bf4f83
-
Filesize
1.8MB
MD5fa2d7fd895f22a69c0357cad768e575e
SHA10946228fa05c06686152edee6bbbce886da8fff6
SHA256480daf6a907f8bfe16817d341b02bb03fde670bf140e54527cee08ac4c483828
SHA51237d6531882e2a6c898d0aca4838d896676c40d089ce513cdc5946cc76661e2347e14848ed3f637eb3d80bfa444440b2077cbd67a8fc18416c804b937c0bf4f83
-
Filesize
37KB
MD54733ffc0d6513f203d024b107aff474e
SHA1c51125c0b46883870e6af4cdf13748344229d6ed
SHA256f7ca655eeaf4a84715c9868c5d27f27f03526c53e1469400df4b8ed933a53209
SHA512be21a3faa36dde04090b8913b54ec022d4532dc4fb1ff7ce63d2680b4bdf9ef9c6f189ccb0a7554d8611987153c3bc9b519b2208a77de4aa5a98d3f02f9935bf
-
Filesize
37KB
MD54733ffc0d6513f203d024b107aff474e
SHA1c51125c0b46883870e6af4cdf13748344229d6ed
SHA256f7ca655eeaf4a84715c9868c5d27f27f03526c53e1469400df4b8ed933a53209
SHA512be21a3faa36dde04090b8913b54ec022d4532dc4fb1ff7ce63d2680b4bdf9ef9c6f189ccb0a7554d8611987153c3bc9b519b2208a77de4aa5a98d3f02f9935bf