Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 23:30
Static task
static1
Behavioral task
behavioral1
Sample
68e9767a80e49cdbca8e6d8cb26867aa.exe
Resource
win7-20231215-en
General
-
Target
68e9767a80e49cdbca8e6d8cb26867aa.exe
-
Size
3.9MB
-
MD5
68e9767a80e49cdbca8e6d8cb26867aa
-
SHA1
b6125fdec846e62cde9d65b6af224d9495cd190d
-
SHA256
f91fa2953c6f7d35429a38ff474e1345da76a29c7a90c1c9b9380d9b09d8eead
-
SHA512
510f4a2d309a3fdbcf40e4652b7ad5402a57fd11bd03a4966fb66c0ecf6ce49c93680d49a18afa99cc31871ac0381ccb64bc39d912f2c16d7f43161042cf7220
-
SSDEEP
98304:fnsmtk2aqEIPmLgtC47Ik66NWtZdtzJ9RLkC3COU:vLG8mcA+IJpDV3M
Malware Config
Extracted
darkcomet
Main
whp.sytes.net:1157
DC_MUTEX-Z0KBHP5
-
InstallPath
MSDCSC\main.exe
-
gencode
6SFPopLHSquT
-
install
true
-
offline_keylogger
true
-
password
123
-
persistence
true
-
reg_key
main
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" ._cache_Synaptics.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ main.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ iexplore.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ main.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion main.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion main.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion iexplore.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion main.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion main.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ._cache_Synaptics.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion iexplore.exe -
Executes dropped EXE 7 IoCs
pid Process 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 2832 Synaptics.exe 2624 ._cache_Synaptics.exe 860 MAIN.EXE 1932 main.exe 580 MAIN.EXE 2500 main.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine ._cache_Synaptics.exe Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine main.exe Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine iexplore.exe Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine main.exe -
Loads dropped DLL 14 IoCs
pid Process 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 2832 Synaptics.exe 2832 Synaptics.exe 2832 Synaptics.exe 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 2624 ._cache_Synaptics.exe 2624 ._cache_Synaptics.exe 2624 ._cache_Synaptics.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" ._cache_Synaptics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" main.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\main = "C:\\Users\\Admin\\Documents\\MSDCSC\\main.exe" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" 68e9767a80e49cdbca8e6d8cb26867aa.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 2624 ._cache_Synaptics.exe 1932 main.exe 536 iexplore.exe 2500 main.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1932 set thread context of 536 1932 main.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 2624 ._cache_Synaptics.exe 1932 main.exe 536 iexplore.exe 2500 main.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 536 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeSecurityPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeTakeOwnershipPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeLoadDriverPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeSystemProfilePrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeSystemtimePrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeProfSingleProcessPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeIncBasePriorityPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeCreatePagefilePrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeBackupPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeRestorePrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeShutdownPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeDebugPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeSystemEnvironmentPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeChangeNotifyPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeRemoteShutdownPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeUndockPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeManageVolumePrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeImpersonatePrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeCreateGlobalPrivilege 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: 33 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: 34 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: 35 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe Token: SeIncreaseQuotaPrivilege 2624 ._cache_Synaptics.exe Token: SeSecurityPrivilege 2624 ._cache_Synaptics.exe Token: SeTakeOwnershipPrivilege 2624 ._cache_Synaptics.exe Token: SeLoadDriverPrivilege 2624 ._cache_Synaptics.exe Token: SeSystemProfilePrivilege 2624 ._cache_Synaptics.exe Token: SeSystemtimePrivilege 2624 ._cache_Synaptics.exe Token: SeProfSingleProcessPrivilege 2624 ._cache_Synaptics.exe Token: SeIncBasePriorityPrivilege 2624 ._cache_Synaptics.exe Token: SeCreatePagefilePrivilege 2624 ._cache_Synaptics.exe Token: SeBackupPrivilege 2624 ._cache_Synaptics.exe Token: SeRestorePrivilege 2624 ._cache_Synaptics.exe Token: SeShutdownPrivilege 2624 ._cache_Synaptics.exe Token: SeDebugPrivilege 2624 ._cache_Synaptics.exe Token: SeSystemEnvironmentPrivilege 2624 ._cache_Synaptics.exe Token: SeChangeNotifyPrivilege 2624 ._cache_Synaptics.exe Token: SeRemoteShutdownPrivilege 2624 ._cache_Synaptics.exe Token: SeUndockPrivilege 2624 ._cache_Synaptics.exe Token: SeManageVolumePrivilege 2624 ._cache_Synaptics.exe Token: SeImpersonatePrivilege 2624 ._cache_Synaptics.exe Token: SeCreateGlobalPrivilege 2624 ._cache_Synaptics.exe Token: 33 2624 ._cache_Synaptics.exe Token: 34 2624 ._cache_Synaptics.exe Token: 35 2624 ._cache_Synaptics.exe Token: SeIncreaseQuotaPrivilege 1932 main.exe Token: SeSecurityPrivilege 1932 main.exe Token: SeTakeOwnershipPrivilege 1932 main.exe Token: SeLoadDriverPrivilege 1932 main.exe Token: SeSystemProfilePrivilege 1932 main.exe Token: SeSystemtimePrivilege 1932 main.exe Token: SeProfSingleProcessPrivilege 1932 main.exe Token: SeIncBasePriorityPrivilege 1932 main.exe Token: SeCreatePagefilePrivilege 1932 main.exe Token: SeBackupPrivilege 1932 main.exe Token: SeRestorePrivilege 1932 main.exe Token: SeShutdownPrivilege 1932 main.exe Token: SeDebugPrivilege 1932 main.exe Token: SeSystemEnvironmentPrivilege 1932 main.exe Token: SeChangeNotifyPrivilege 1932 main.exe Token: SeRemoteShutdownPrivilege 1932 main.exe Token: SeUndockPrivilege 1932 main.exe Token: SeManageVolumePrivilege 1932 main.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 536 iexplore.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2764 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 28 PID 3048 wrote to memory of 2764 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 28 PID 3048 wrote to memory of 2764 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 28 PID 3048 wrote to memory of 2764 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 28 PID 3048 wrote to memory of 2832 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 29 PID 3048 wrote to memory of 2832 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 29 PID 3048 wrote to memory of 2832 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 29 PID 3048 wrote to memory of 2832 3048 68e9767a80e49cdbca8e6d8cb26867aa.exe 29 PID 2832 wrote to memory of 2624 2832 Synaptics.exe 30 PID 2832 wrote to memory of 2624 2832 Synaptics.exe 30 PID 2832 wrote to memory of 2624 2832 Synaptics.exe 30 PID 2832 wrote to memory of 2624 2832 Synaptics.exe 30 PID 2764 wrote to memory of 860 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 31 PID 2764 wrote to memory of 860 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 31 PID 2764 wrote to memory of 860 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 31 PID 2764 wrote to memory of 860 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 31 PID 2764 wrote to memory of 1932 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 33 PID 2764 wrote to memory of 1932 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 33 PID 2764 wrote to memory of 1932 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 33 PID 2764 wrote to memory of 1932 2764 ._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe 33 PID 1932 wrote to memory of 536 1932 main.exe 35 PID 1932 wrote to memory of 536 1932 main.exe 35 PID 1932 wrote to memory of 536 1932 main.exe 35 PID 1932 wrote to memory of 536 1932 main.exe 35 PID 1932 wrote to memory of 536 1932 main.exe 35 PID 1932 wrote to memory of 536 1932 main.exe 35 PID 2624 wrote to memory of 580 2624 ._cache_Synaptics.exe 36 PID 2624 wrote to memory of 580 2624 ._cache_Synaptics.exe 36 PID 2624 wrote to memory of 580 2624 ._cache_Synaptics.exe 36 PID 2624 wrote to memory of 580 2624 ._cache_Synaptics.exe 36 PID 2624 wrote to memory of 2500 2624 ._cache_Synaptics.exe 37 PID 2624 wrote to memory of 2500 2624 ._cache_Synaptics.exe 37 PID 2624 wrote to memory of 2500 2624 ._cache_Synaptics.exe 37 PID 2624 wrote to memory of 2500 2624 ._cache_Synaptics.exe 37 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40 PID 536 wrote to memory of 1096 536 iexplore.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe"C:\Users\Admin\AppData\Local\Temp\68e9767a80e49cdbca8e6d8cb26867aa.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe"C:\Users\Admin\AppData\Local\Temp\._cache_68e9767a80e49cdbca8e6d8cb26867aa.exe"2⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"3⤵
- Executes dropped EXE
PID:860
-
-
C:\Users\Admin\Documents\MSDCSC\main.exe"C:\Users\Admin\Documents\MSDCSC\main.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:1096
-
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Modifies WinLogon for persistence
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"C:\Users\Admin\AppData\Local\Temp\MAIN.EXE"4⤵
- Executes dropped EXE
PID:580
-
-
C:\Users\Admin\Documents\MSDCSC\main.exe"C:\Users\Admin\Documents\MSDCSC\main.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2500
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5c20232f07e982da1550deaee45533d7d
SHA11cf678f200e473b8fa83c1c8644f71779e61f9bf
SHA25650965fb146fc424bfaaccf076b510ad30dd401015a60d85a8e0377735735aa7d
SHA512d318bcf1fd6406995e98b43390e589fa75c06f5657cfd5e074d2f9afc5ba1bb002d689124b37092a77239303dda684e0821bfdafd2116dad291e8995feaae532
-
Filesize
2.1MB
MD57d0fc7bd97229713c4a3c9e962f57c56
SHA1d7e529a936361f0e14b6c9822fea1b6fcfe096fd
SHA256d4469b7f98b21dba49be9ca19ea8afed0a2048b27c0f004d6ecd182f380c6cde
SHA5126bcd4ddaf020d06ce489b06d4ed82b5c9f18d2c7edc07c1eac310199199303db14456d6806fa11f7480f3a1d54e2861c71e32ee43eaa8b54ed7f3763f46ce05d
-
Filesize
3.9MB
MD568e9767a80e49cdbca8e6d8cb26867aa
SHA1b6125fdec846e62cde9d65b6af224d9495cd190d
SHA256f91fa2953c6f7d35429a38ff474e1345da76a29c7a90c1c9b9380d9b09d8eead
SHA512510f4a2d309a3fdbcf40e4652b7ad5402a57fd11bd03a4966fb66c0ecf6ce49c93680d49a18afa99cc31871ac0381ccb64bc39d912f2c16d7f43161042cf7220
-
Filesize
2.1MB
MD5d594daf93080a00e040d705c1c78c5dd
SHA116d488e4bf69441e89ce38b88657ff333560ea45
SHA2566d5e0e661fa8abf437ffcbd883b76a75eb3f8ba245af5dc5eb39539c3798dda7
SHA512fc711cf0248e1cb997e3e6e00cbbfd7cb5a86efeb3308907a7dbea4184736b99ef90a89038b88313ff9b2617cf9585218b32e10d447ef5cd0656e730d27a76b7
-
Filesize
1.4MB
MD58912620694ec1beeb7acc27cc2e8ce39
SHA178e4ad8366afe9ddf315c223e09600378db9c5bd
SHA2562a8f062660e0b392fd2654f27c5324ed1b503135baf9238569ac5694236af4ee
SHA5128759b5c374eae372c4eac0d62016ed4a0ff109d36b5032f2ec1ce30ebcbf075e1e0794deb2938f71149375bc37dfc329c93170b1fc5f3df315b28169d7e378fb
-
Filesize
1.2MB
MD5fcdbdc888e2a47c2fba1eeacc939ca8c
SHA1242e43d37c87804bd89f53ae392a8539564ddc83
SHA25643f7f1beca14031a08fa255720c5e051321e1f0d263a05bd3f3073916002ba3b
SHA512d42b26eda2c731945502d527deb51210ec41b9643619d3f925d557ddf09e7277fd7f313341660947a9bd53a80623b40253c92912b1026bff8304cf80bda14ad1
-
Filesize
1.9MB
MD50b93507475b24d11d7844837f55db512
SHA19f42a6c78c5fd5d1d6e5c0132e1a5408a354c46f
SHA25629a94b8d47d6180575dc57be51e7fd68a1bf8b181bc7b4a2efdcdc1cb0588830
SHA5120c2124e8dfb6f05f1c2aa2ff7cc3cef3434c243379277927d06211424dcec813e7d9afa2317efc0d3341d45222b0c33acad545580df9b7ac4c7bf965d9deb0e2
-
Filesize
640KB
MD58651f8ad64fb786a11db7076c7c3dce0
SHA17efdba6f0eb41452528fa543a89e4a8ac910b1c6
SHA2565bb9e200747c45f54a9ea47c630ada69f65480bcabc6aa98b2028b403bdaef53
SHA5128aa6c2ef95297f70b40b701dcd059a937b872ea76ecfd8dd5e1dfb9581bcad3b23b19525993708a0363aa50c8bc9ca3618228b25556381026f9d93b4f9389a7b
-
Filesize
1.4MB
MD579c6a4894283d3925ccb74b3168b5fd2
SHA1196c0d71ab7439d58127afd8634ffee29275597b
SHA2562ca817ae6d29f1170c72a9363fe1fb9337b749d95cca5982aa098c07cebeb284
SHA5124153a6cf226d7dd366fa9ffc7de01a885a34fcd5a51c02b11e7c144f3073de834ffc13ae32240f1dd577407b4566cbd7435b9ada3061ea3990dc95d80f8ff7eb
-
Filesize
896KB
MD5f4d2cfb5b87e98146adec783a48716a8
SHA120b08e09acda0501a3c427d8413d837114859ca7
SHA256fe15cf1a319583071013e07a412eaa43f5ecfb6a6b93a4f4aeb9e8d2f3555405
SHA5124159cd20d5d901e22fac628e8da4b3d3481898aa586526d221d7f743125fb0a9d05e416e98898d41e6343a60de32c2136a4ba314c775d531be17e0c178ec4d74
-
Filesize
1.7MB
MD56a413037fc2b1de7912f13ec2a4d046f
SHA16bf51b46dce10ae548130e994ae946b64c8fa5c0
SHA256d01d51179abbbacc10600684e874d38cfef0bc04a91e3cccae4a0c91dfff2c89
SHA5127c89e054f7a63972364685a3cbce98703ec52cfcfb8005a4dca5d19ed7c3f056b374ac68596221ac970f53fbc6f4b1b4db8633d07de79f3ed7207db259981742
-
Filesize
256KB
MD5fdca23190241667981a746051a66ef58
SHA12e63abb29719ee2caed1adc5a8e81179dd66e3e1
SHA256e6de2aad745d94d1408c68240effa10ec06b258daa6d0801a5ff5a79fc9762ce
SHA512488a20cb79a887b902d03abe6afab1590242fdaa9c38a4f20e50e3ae1f35298c537e304d26a100de6344bfbea1d00eee2a26ccd4f6f26aec1716b50dd17341bd
-
Filesize
3.3MB
MD5413268aaed96490ef3a7dd1ac3e76095
SHA12c251af1d00e64683af7c798b9e3149e856b67a9
SHA25631484bd33380e7b5fbb47cd38ce94dec8074b7d815d21a767fdd29f8d426305e
SHA51213ec0b2c8c05a2bed26c3e5f3284e282508567c74ae895d1eeccbbf2c55089398292b60d429ce5ac4e7aa7ad6a3e7044598463e2d6c21061c05b0f857ec26008
-
Filesize
3.0MB
MD588bbb2eab7fe13c118d08f44c4750379
SHA1b0755cb88fe4fa81cbd3bc45b4b5530549760293
SHA256b5c26a209ee62d36f37eb6e387100fa72b39923556d49be2d91fca85e6795b06
SHA512de768f7b15df8ac836a7b1c0531041121228d2946838d9a40704ec1e7dfe648eb252ba38ead59b1d704985250a5b276f3b90613f0e75b48ba1fa7bb767cd55b7
-
Filesize
3.6MB
MD5d14e1534ba4d2b73467f5339e27f247f
SHA19b044e8b544c8b315244fa1489f045e226e56a3f
SHA256e37168d09980d6235e679968f9d5e9a7c3e5140f1c5571bce28471ba259d234d
SHA512f1707d97e1bfd1013808538e8bbc89b802c65e01ba3bddab3580cc1d900e888148fc810c5c97c7e6267eb7ac9ffef3b5fc7557cb0598077299c35e8919e42c88
-
Filesize
3.2MB
MD5adf43260a99ad4ad02f71dc4bb4a6fb4
SHA1c913da7b00ec6c73e29c4bd26ca46a07af531a60
SHA256b0dea29e2862732605642902983b4f6f067937b7335fa09a4ecb8c81222d61df
SHA5128ec38afa0787fc9dbf5964bab7fe3975387c15ad29a5c7e4ada51872a9e10c2b9992c6bafa866ee9a8406775f40912f1e27e27bfebf7ae3574798d5503169acb
-
Filesize
2.5MB
MD560c6bc223bf367d058cee3599410015a
SHA1abcc359bf749877b6b2aa8496f740c2f40da10a9
SHA256da6ef579db04639d7732e5bca2799d4558796e162d497c47fbb7f32cca89a924
SHA512cf2f91104a68ba9910c0c575d62b0f32735d11c2fb46d13f2213720c065cfa87562fb54eae7e7c541060b23af980dd5ad203c15fd342b5651a34bc882370474f
-
Filesize
1.1MB
MD54bf6a6f7a04286ab3fb18582fcd8a96d
SHA136780cbc76d1ca2d9ccb4ddcde87f7d2e40529d3
SHA256eef109a0f7ea1ce54933fb66e763dc8e9980ce4b823ea4b1e32ac4f10b4806cc
SHA51209dda82289816d5a4a7d120fc2e923b28293b70f436ed080e53f8aa80b8453218a38f7d1179c9081edc554547fbf418f37fed6b5f209312233c74b685277ae28
-
Filesize
3.1MB
MD5a88dc7e09b9f0bf848f573876330fa82
SHA11768fec9a20d15eb9928b8bc509c27ee489035b0
SHA256508df82e23ec52765d98e2c02e6a0268b6c2aaf11aca8a3539e25156b86491bd
SHA512c775b2bf8c5726ecea06223f00a79b2b826a7d0f1fc7901e04ad5749004449ea8f3fc55183189767e521590bfdeb40416bf5c196e0b00f70092ef5942c34eabe
-
Filesize
1.3MB
MD5bf67ef380ad9b149254d40391e48fc1e
SHA1cb1afc3745e451f82626c66b21ead9565c6df172
SHA256819d032ad83c14788ccd9b3bd264d1aad0f2ad47531acffc0069a851d9fecd4d
SHA512ed0f1cc0376f809b00f507592b3bbc1e217b24f33ffffbfeac341354a6e7504c685724c83b220b89f5ccba9752f751ccf63fc57b5c97ee844df86d7d9daeeead
-
Filesize
1.2MB
MD5b624f14f06b542e18c3fc019570a8e49
SHA1525b60df4383e5dda20137f9066ffb5b0ead9032
SHA2566118b65fee353766a0bae8c11deed55568cc13269eb975acbe1f2d2069275b3f
SHA5122c236a3cfde62799ae2afb2802295a0e155015c5bad7ba9e5f336b338cb855a614d75afc43fe9df5d4ffab858935855121c62d2fc635bbc1cafbfc9d879e90ed
-
Filesize
1.9MB
MD5a15c661358ba7256b2cd4ada427c55db
SHA13fc2fc27dfd14d89e526765fda10c5f656603d97
SHA256fa922077ad8bae4b16616a134f43427a9731fe0009f0dc9c40ff08d0443460f0
SHA5124000eba1f7fda9b047a6f840782064f7227aafc29af0b43aad4d661618a873985e497a4280e968b4fd15524f7b5aff4c6d3925ff1f13b1a28ff3e93fa9eb042a
-
Filesize
512KB
MD545497da2fcda9ca1ef9b493fd6b85307
SHA1495e21ff9210dde23f318f9e36fd7ad4222f977d
SHA256a9cf508e72fe053ee6a70404f343ea6e00839ef3206895e67097c0b3a64bd41e
SHA51289e8409d7e9419e1c7a109af4819c439d86a0463cf59e10f1a53179bc927b7274892daad017f4924d84e94300ec9f9cc74fa9f11c74f6730810a0d0d6821b766