Analysis
-
max time kernel
59s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 01:44
Static task
static1
Behavioral task
behavioral1
Sample
5cddaacf9782c030db128e3ebfd8f301.exe
Resource
win7-20240221-en
General
-
Target
5cddaacf9782c030db128e3ebfd8f301.exe
-
Size
162KB
-
MD5
5cddaacf9782c030db128e3ebfd8f301
-
SHA1
71bae291b66ecfad6ee79ab150c9b4bdc676f06c
-
SHA256
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
-
SHA512
bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797
-
SSDEEP
3072:pR3aImWaDnBilDV8X+Ld1VVuLtKsQfk1RoGJS4dNVEv:pIbWaDBilDVNLdJBsQfk77X
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Signatures
-
Glupteba payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-168-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2060-171-0x0000000002C30000-0x000000000351B000-memory.dmp family_glupteba behavioral1/memory/2060-206-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2060-314-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2060-337-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2848-345-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2848-396-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2460 netsh.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 1256 -
Executes dropped EXE 9 IoCs
Processes:
CF50.exeE024.exeE42B.exeE024.exe590.exe590.tmp3307.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exepid process 2668 CF50.exe 1996 E024.exe 620 E42B.exe 980 E024.exe 1788 590.exe 1536 590.tmp 2364 3307.exe 2060 288c47bbc1871b439df19ff4df68f076.exe 2252 InstallSetup4.exe -
Loads dropped DLL 13 IoCs
Processes:
WerFault.exeregsvr32.exeE024.exeE024.exe590.exe590.tmp3307.exepid process 2508 WerFault.exe 2508 WerFault.exe 2508 WerFault.exe 2456 regsvr32.exe 1996 E024.exe 980 E024.exe 1788 590.exe 1536 590.tmp 1536 590.tmp 1536 590.tmp 2364 3307.exe 2364 3307.exe 2364 3307.exe -
Processes:
resource yara_rule behavioral1/memory/980-58-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/980-61-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/980-53-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/980-63-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/980-65-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/980-67-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/980-129-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/980-165-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/980-183-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/980-191-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/980-222-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
E024.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" E024.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
E42B.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 E42B.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
E024.exedescription pid process target process PID 1996 set thread context of 980 1996 E024.exe E024.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2032 sc.exe 2004 sc.exe 3044 sc.exe 1952 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2508 2668 WerFault.exe CF50.exe 2708 2520 WerFault.exe 7DBF.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
5cddaacf9782c030db128e3ebfd8f301.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cddaacf9782c030db128e3ebfd8f301.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5cddaacf9782c030db128e3ebfd8f301.exepid process 3064 5cddaacf9782c030db128e3ebfd8f301.exe 3064 5cddaacf9782c030db128e3ebfd8f301.exe 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
5cddaacf9782c030db128e3ebfd8f301.exepid process 3064 5cddaacf9782c030db128e3ebfd8f301.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1256 Token: SeShutdownPrivilege 1256 Token: SeShutdownPrivilege 1256 Token: SeShutdownPrivilege 1256 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
590.tmppid process 1536 590.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CF50.exeregsvr32.exeE024.exe590.exe3307.exedescription pid process target process PID 1256 wrote to memory of 2668 1256 CF50.exe PID 1256 wrote to memory of 2668 1256 CF50.exe PID 1256 wrote to memory of 2668 1256 CF50.exe PID 1256 wrote to memory of 2668 1256 CF50.exe PID 2668 wrote to memory of 2508 2668 CF50.exe WerFault.exe PID 2668 wrote to memory of 2508 2668 CF50.exe WerFault.exe PID 2668 wrote to memory of 2508 2668 CF50.exe WerFault.exe PID 2668 wrote to memory of 2508 2668 CF50.exe WerFault.exe PID 1256 wrote to memory of 2416 1256 regsvr32.exe PID 1256 wrote to memory of 2416 1256 regsvr32.exe PID 1256 wrote to memory of 2416 1256 regsvr32.exe PID 1256 wrote to memory of 2416 1256 regsvr32.exe PID 1256 wrote to memory of 2416 1256 regsvr32.exe PID 2416 wrote to memory of 2456 2416 regsvr32.exe regsvr32.exe PID 2416 wrote to memory of 2456 2416 regsvr32.exe regsvr32.exe PID 2416 wrote to memory of 2456 2416 regsvr32.exe regsvr32.exe PID 2416 wrote to memory of 2456 2416 regsvr32.exe regsvr32.exe PID 2416 wrote to memory of 2456 2416 regsvr32.exe regsvr32.exe PID 2416 wrote to memory of 2456 2416 regsvr32.exe regsvr32.exe PID 2416 wrote to memory of 2456 2416 regsvr32.exe regsvr32.exe PID 1256 wrote to memory of 1996 1256 E024.exe PID 1256 wrote to memory of 1996 1256 E024.exe PID 1256 wrote to memory of 1996 1256 E024.exe PID 1256 wrote to memory of 1996 1256 E024.exe PID 1996 wrote to memory of 980 1996 E024.exe E024.exe PID 1996 wrote to memory of 980 1996 E024.exe E024.exe PID 1996 wrote to memory of 980 1996 E024.exe E024.exe PID 1996 wrote to memory of 980 1996 E024.exe E024.exe PID 1996 wrote to memory of 980 1996 E024.exe E024.exe PID 1996 wrote to memory of 980 1996 E024.exe E024.exe PID 1996 wrote to memory of 980 1996 E024.exe E024.exe PID 1996 wrote to memory of 980 1996 E024.exe E024.exe PID 1256 wrote to memory of 620 1256 E42B.exe PID 1256 wrote to memory of 620 1256 E42B.exe PID 1256 wrote to memory of 620 1256 E42B.exe PID 1256 wrote to memory of 620 1256 E42B.exe PID 1996 wrote to memory of 980 1996 E024.exe E024.exe PID 1256 wrote to memory of 1788 1256 590.exe PID 1256 wrote to memory of 1788 1256 590.exe PID 1256 wrote to memory of 1788 1256 590.exe PID 1256 wrote to memory of 1788 1256 590.exe PID 1256 wrote to memory of 1788 1256 590.exe PID 1256 wrote to memory of 1788 1256 590.exe PID 1256 wrote to memory of 1788 1256 590.exe PID 1788 wrote to memory of 1536 1788 590.exe 590.tmp PID 1788 wrote to memory of 1536 1788 590.exe 590.tmp PID 1788 wrote to memory of 1536 1788 590.exe 590.tmp PID 1788 wrote to memory of 1536 1788 590.exe 590.tmp PID 1788 wrote to memory of 1536 1788 590.exe 590.tmp PID 1788 wrote to memory of 1536 1788 590.exe 590.tmp PID 1788 wrote to memory of 1536 1788 590.exe 590.tmp PID 1256 wrote to memory of 2364 1256 3307.exe PID 1256 wrote to memory of 2364 1256 3307.exe PID 1256 wrote to memory of 2364 1256 3307.exe PID 1256 wrote to memory of 2364 1256 3307.exe PID 2364 wrote to memory of 2060 2364 3307.exe 288c47bbc1871b439df19ff4df68f076.exe PID 2364 wrote to memory of 2060 2364 3307.exe 288c47bbc1871b439df19ff4df68f076.exe PID 2364 wrote to memory of 2060 2364 3307.exe 288c47bbc1871b439df19ff4df68f076.exe PID 2364 wrote to memory of 2060 2364 3307.exe 288c47bbc1871b439df19ff4df68f076.exe PID 2364 wrote to memory of 2252 2364 3307.exe InstallSetup4.exe PID 2364 wrote to memory of 2252 2364 3307.exe InstallSetup4.exe PID 2364 wrote to memory of 2252 2364 3307.exe InstallSetup4.exe PID 2364 wrote to memory of 2252 2364 3307.exe InstallSetup4.exe PID 2364 wrote to memory of 2252 2364 3307.exe InstallSetup4.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3064
-
C:\Users\Admin\AppData\Local\Temp\CF50.exeC:\Users\Admin\AppData\Local\Temp\CF50.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1242⤵
- Loads dropped DLL
- Program crash
PID:2508
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\D911.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\D911.dll2⤵
- Loads dropped DLL
PID:2456
-
C:\Users\Admin\AppData\Local\Temp\E024.exeC:\Users\Admin\AppData\Local\Temp\E024.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\E024.exeC:\Users\Admin\AppData\Local\Temp\E024.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:980
-
C:\Users\Admin\AppData\Local\Temp\E42B.exeC:\Users\Admin\AppData\Local\Temp\E42B.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:620
-
C:\Users\Admin\AppData\Local\Temp\590.exeC:\Users\Admin\AppData\Local\Temp\590.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp"C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp" /SL5="$201F6,2424585,54272,C:\Users\Admin\AppData\Local\Temp\590.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1536
-
C:\Users\Admin\AppData\Local\Temp\3307.exeC:\Users\Admin\AppData\Local\Temp\3307.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵PID:2848
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:1904
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:2460 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵PID:1628
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵PID:1636
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:668
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- Creates scheduled task(s)
PID:268 -
C:\Users\Admin\AppData\Local\Temp\nsz66C1.tmpC:\Users\Admin\AppData\Local\Temp\nsz66C1.tmp3⤵PID:1488
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵PID:2288
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵PID:1204
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:2032 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1696
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:2864
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:2004 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:3044 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:1952
-
C:\Users\Admin\AppData\Local\Temp\4705.exeC:\Users\Admin\AppData\Local\Temp\4705.exe1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\7DBF.exeC:\Users\Admin\AppData\Local\Temp\7DBF.exe1⤵PID:2520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1242⤵
- Program crash
PID:2708
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227014540.log C:\Windows\Logs\CBS\CbsPersist_20240227014540.cab1⤵PID:2480
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵PID:540
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:2620
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2932
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1940
-
C:\Windows\explorer.exeexplorer.exe2⤵PID:1096
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
832KB
MD5b29cd31f15d37cebbe2804adc62ce2e9
SHA1e036f370e3b9a849609823c1cf295c07968b91a0
SHA256082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2
SHA5122a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4
-
Filesize
704KB
MD5029a5147d2f0d080800b095d06298a55
SHA16d53b0c00f128318d23de9db082989e30369baad
SHA256cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566
SHA512b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c
-
Filesize
1.6MB
MD5aaf0bb37ae70edf36b650977fe25658f
SHA1dec39feae72f0c5ae84775303e543ca353de6256
SHA256bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06
SHA512d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4
-
Filesize
1.5MB
MD534666eafe0fffb6a73e31c1e09ecac4f
SHA1ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966
-
Filesize
2.0MB
MD5b8bbbebf6a96db29f8a6c2c3e2726b72
SHA1074958a02f3c65261dfe5d4c349b7af4849ee707
SHA25625acbb3a7b3a4932482dee31862427ff7d8bb58035d5864a6ea8e6e4c653ae39
SHA5121f63650dc10cb4c074387e8df352c17b58a05305b363bc4042949872aa4eb9221e831a5ef17e73fe8c24cab2715361e0629e775f7b5c790598a7ee5b075c5f74
-
Filesize
179KB
MD550148f4315ccf59c839a333b524595a5
SHA1abadbc87f030d1323115261f075dc16252648091
SHA256b5bd19a7fbe8a92bec9d5c245ee65ddb6c391a1fa30fcef49f71c51303281f7b
SHA5123270b1951106e7b91738d3f0c6fc71396e1ee0a516edfccc852bc29b0369f8c413a4ec28350c38dacbfceac0d3af2c26f2321a25bcbaf6e5855c82f444e83779
-
Filesize
2.8MB
MD5c3f5e923e98033384378a97de22f6fe7
SHA128220ec8eb322e95ecad1556885f73a43ad2ebf4
SHA2564b2388ef97e538904f770f45f5e294711378b584241e3256f7b755a5210b9e1d
SHA5120db32fa0388e0f3ae72ec73a878a288256b31dc7574912467639f26182907f186c9ea39ced564b3532481f31b1d7e144d5020344557cd55fcfa966d4317a6e75
-
Filesize
3.2MB
MD517d2301b2e6709fbc82d586eb8b833df
SHA174dbdb416b28071578fb43318d33ab4e62fe6a1c
SHA2565fc49f408707b26cf4ccd7f08dc972a1383459f2699832ea772357c64e83eb9c
SHA512844d04c930d6c47bf118ca490dfeade96a49c7e159aa42a129d8124740eb41b3f63651c181d286dcd9d77a4a725f5150c709663faf2cb6618de4926bb10adbdf
-
Filesize
163KB
MD50ca68f13f3db569984dbcc9c0be6144a
SHA18c53b9026e3c34bcf20f35af15fc6545cb337936
SHA2569cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA5124c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d
-
Filesize
674KB
MD53e15b66793892cd12d81bd4c2d59919e
SHA18aeca5bff3549f3ac0e8bfaf12160be4e9f503ac
SHA256cbfae0c1c01572e0538e0a951ad365c8757492165d33efbfbf85f7e8714c1768
SHA5124def262d824a10b5995f3267f8a4d514818c00a8e2c123537dd8c2dec6f79e45ee3f21a51631175e9fd3c7fa7b6d960f57eae504112762179b95161b38277668
-
Filesize
8.8MB
MD5e7b4463b55575c4b778ef1a9c52dd863
SHA11f4bf0a3b30ada5013a15ffd97bc0a1aa0dbd2c8
SHA2561c623144a973b01898c9155341077b0430fcea87854616a090d5af69559808eb
SHA51234d0b805567e6f0e0298e3ba1bcde24d3e71686a8c51f5dcbbe9d28a47e2478fae09d1fa5f74384fc6f184bc239d66fce4a45b3be8470e6507f535d6f045714c
-
Filesize
2.5MB
MD57b96170ca36e7650b9d3a075126b8622
SHA1311068f2f6282577513123b9181283ffb01d55ce
SHA256e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6
SHA512e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd
-
Filesize
2.2MB
MD5308f05365b5778ea836482f5ea12870f
SHA1140d5aeb4c8b53a6078541c940c1f32a949021c8
SHA25608799d13619c9d39798ec8bc2cac904d6a6538e48cda60c96e0cf78e7e40ca7a
SHA512e683b194c0d22fea61c29130587a8f6935cb01f9e133ee9eea2640dbacdc64d818ccbd965b3ce147bd91c92585816570737ed075515a420d2c8513de77314429
-
Filesize
5.9MB
MD5cef45ef8a5a648c3b83abb21933a054e
SHA10ce2fecefe51ee3cba3abac1575987e00991d4ce
SHA256922d042369769d5c2c049303d86cd3214931dfbeb9b9577fe0ce2c02f1b3dbab
SHA512d3d659ce80d2cc54e68caccd00400e15d4f7059c18daaaf3bd16d469514112bede7643932e8f49cce340faa02dd541e563642a3afbf83d559f3cb7156275423d
-
Filesize
6.2MB
MD598032e01a07b787b4416121c3fdf3ae5
SHA165c8dc24c8b5d416c1e51105e190c440762069f3
SHA2568ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA5123db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb
-
Filesize
2.2MB
MD50382fa4f0e27cfe8971b5ee495c5ecd3
SHA19f19db447e16a1ba65608dfde4857ed17a5ebf83
SHA256d118eddfed9567a4e5e49b56259f5366ed74e19270b1e0232ba6df34968c65ee
SHA51237e3e4e73e626e5b2c14203b9c5d6e2dd95e809745d030aba6c91ee96fe9525e80c9b909a1927761915b16b2805503b742a765e73fd7d7deed559abee9e47356
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
5.0MB
MD5a646fcf542433f66fdd00124341a9e86
SHA13cd7e3049b7a7372910b1b8ce2a4db280bfdaf24
SHA2560225146767ca5842d186b883d6ee94cbbb88d4ea2179a43173b9f82bea8654f2
SHA512b7a0be1f2385b4421c34a9ea0dd4c3eb9f4145e875c45aa5c1a5db21e9510fbb6de3638fc0055ace90de8e93243077c0568ca3670fd52914bfe3298ccfca8a33
-
Filesize
623KB
MD5d4f8a7b87e314de52b2eee95fb03d2b5
SHA102aadb8ec54b0e86f29605ff374eafce765694b2
SHA256745ee7c3aa4b9731955a38fe69933df2e78051f244a928e5b8227ea014d2787f
SHA5127a13a179ab8d8667df203f04b473e65fbcf508dc568e4b88f7936d295d97d140cb9cb79b8eda0cea1ade0353725d4fe3302b740e1fabbc951a5eec18d4dccfa0
-
Filesize
1.6MB
MD53a57dc900df7d0c26658c8359e9cf0ed
SHA113bf3442ea417341c42a99fc00627fda7d3cf623
SHA256d86b53f57b7e62d4e0d02d9566e6a893c2ca85d7b81c8623d3f362e61fc4cf84
SHA51257153a2e069a8ce6879529c6bc47e6ef970796bd6d1e354e5f7fd231f6408e2c0935b3c0f1b83f96d9ae9aff715dd9a2d7f058ed7f2afd9702348cbb5cdc893e
-
Filesize
1.4MB
MD5c5c406dbc57f69005ff8854f28e7bd92
SHA1776bc4f2f64e6767c76ae22eaaa3156e92c8693e
SHA256784a1816912b23c7940873f956fd731a9fcf728709c53bceca0cbeadc0b3bec0
SHA51298dd4d749ec7e58f4eb4947e412e1c3d4d5ca28a98fb51d339a6a957acfe8bcae85cb54ef3627b31a9a95659a79f31637f97a6efd0efc43859caa254d447bc32
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
704KB
MD51df9c98963f3d20b3f3f5db8152e3052
SHA1c8203e4dee088a27c97cb3e334c1dd9aafdd0786
SHA256cb96f8c2286c4b66024b37b6b09038ba358cbf9572042077b6e1d3c6a0e8336f
SHA512bfc3c8923b0cb1baf62be9545c16c0678f28bb8d0875cf9cbea217521804cd39c35adba3f31d6adc4e9460f5a56c771596a80a7528a4c17810fb208cfce3bb60
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
1.1MB
MD510da85ae04da6c225fd4ea9d204378c9
SHA1d3730e020f9e2a5c217926180d44b65a91cf6a4a
SHA256d753eef117aabaa8247c3bcea0d39f64cfeaf612193e30995f5c00ead203e9c5
SHA5121cc1ef5da86f4683422301f8318c1bd6d30515aa36e1d6949eb749b47a3b557990b79f7bc682eb3e3f2ccef4155e56f8adeb1f09beec97de067acf40c91e9d69
-
Filesize
2.5MB
MD5b03886cb64c04b828b6ec1b2487df4a4
SHA1a7b9a99950429611931664950932f0e5525294a4
SHA2565dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA51221d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659
-
Filesize
128KB
MD5b4cd344bdf164bc552a7e4b7fd152594
SHA18e41f116655fbb8f4f614c21c0b02f06b281beba
SHA25665e375fbf5477a9c9ea06b4fd5115169b96478deaf55d65f207d89327269a015
SHA5121624548747342c564bac7e0830bc2710b6de8585fc70d1003ac77e972aaeb907ac6ce45ef53e04f9af38a60811aac6435be9192ded73106c538ddb9dd82916a0
-
Filesize
2.0MB
MD528b72e7425d6d224c060d3cf439c668c
SHA1a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA5123e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6
-
Filesize
64KB
MD549becb0626a04b87221c00d30c3d14a2
SHA196e2f9ea00aa118ce62a368ded287f6b888c0cd4
SHA25695480cadb85d9df813521fd2360328eafc500001fa487324d3ec571397382b3f
SHA512a1f4fef9d039fd42a704d68b68552e3932d258123a02a3c66c78b8b2d48623b1e305662b378e0024d9c8b419824d3fd1b91dec96c5149123d945e7707bd6eda2
-
Filesize
192KB
MD59089c5ddf54262d275ab0ea6ceaebcba
SHA14796313ad8d780936e549ea509c1932deb41e02a
SHA25696766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
1.2MB
MD57c277165dcead3616b33d9432afcb485
SHA1b725f0009bb07f8c3f434adc10ccc8d78967ea62
SHA256a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30
SHA5122f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105
-
Filesize
689KB
MD5951ac648539bfaa0f113db5e0406de5b
SHA11b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d
-
Filesize
384KB
MD5147b6aa5bd0222e5d58af8984b073c56
SHA1399923e38ba252bffbe5c13b39bcbf41798e15f5
SHA2566a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9
SHA512c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70
-
Filesize
1.7MB
MD50f68106658c054bde5c705e5b1f000e6
SHA15cc1bb15c4dfd5ad0630ae0ae9ac2286f3050102
SHA25658d6747e01ef0fce7a9a53341707556e91276314acbae7f6228d782291686b3c
SHA51230bbfc56175b7245acb175f85fc5023b497bb0ed26e6ccf6a585b408044b6adc8d165e1b6e797f1de1e5dd33806c14c9e3d5d818f5455ea0d7a2c381c269e59e
-
Filesize
1.6MB
MD5d3c015d761ac4697c31779ebd67685fe
SHA16eda243187265592a404feca52bf612ddc66e396
SHA256689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab
-
Filesize
1.4MB
MD50434ebfc7b8efe114543e34d6cdf4952
SHA1ddec4208a23e8d4e3c9ce589185e16292024ad6e
SHA256ae88c38e3a299998c1085e317dc29b6e5da6d659e638e301c45702458379c344
SHA5121d63fd7ef2649bb9581291d1c44495a8c90f8396ae53f267c4fbcfcbc89d70574438798e32dc9179ddd2c5ca37bb2d9f7b525430d9ac16037bfc5494ac88181c
-
Filesize
1.3MB
MD5192c2bee85452b62bbc7b9bd93b24b07
SHA13ef36ceccecb900280aff4297c8136a3746f024f
SHA256cd989adfe10e50fb4bc10dd7b1cc24bc0729cc218a238cf3fb1fc268ad530ae4
SHA51207981649ef443bce9eb1a5815321999dcc99cc96539dc2540d953b8208dcbbda24243ed4e542f6c9682a3d76eb7226d9fd6205e9631d96de85490b85f38b4b2f
-
Filesize
1.2MB
MD593482d73c7977a8486f8d1d59b8a5775
SHA1cf17a1a776ccdb3993901f0e48383ed6803b3996
SHA2564b47d6feba365f064331a63afd8132d95b9d6ddcaf3b715e17615774fa301192
SHA51280885ea4aaacf99c1577dfe1c0e338f78d6543881a032eefb052be3c692e2950576e0bf21995c336c40b4f35f2cd98197f3fb1830d4ee8964b9c6b3c762b0094
-
Filesize
1.1MB
MD56669371ff96389b0ec050b86918a98ac
SHA128d2c7360e3f10fa6aff0b2b0bbd384371407cba
SHA25688147009a4746cf66d54f5be049d7c36781f2a84c0fc21e9249424fc19ae4803
SHA512d7c6ff78e7e215a67c87f78d1c143cfdfc6c8e0dc6a6339b74f0853c184535f1563fdebd1e58bd1fa1833f5c5a84853d40c79232d20e5a54139bf3c4592cce25
-
Filesize
2.9MB
MD59d185f0fd5b659435bc019c9099db580
SHA11cd9db6640706a06c4440427c2bc49c909c24f01
SHA2560ea631ce1d7134e9bf394f7e36519b2e98e06785fbf23c94e908979f4fff005c
SHA5122020ef68692cbb607da0a8bed4c93552a098e6c5beac92edacb7558f04c11cb33b9c88cab4b9f5e3aee34a52d649d423d04cdb1752b287a17086a8fea6f6fa3d
-
Filesize
4.7MB
MD50a246e8a1939d2aaa24ee489bab659d9
SHA12cbb2d2a42f505579b119bd7fdd043d49fed72f0
SHA2566c5ee11145859d91a720747f3c602c67921ea50e3deaf3c1b860fe87cf1c4996
SHA5127ff589661c00399eab76c60aefcfcdc654b9f0124ac456ff95fab83c4f908ecbf6cda49b1b96b7d966156525204741c74930518608a1db1b14aff8c6470b4b90
-
Filesize
4.6MB
MD5f40812f88092a72b4a80a56d74456452
SHA10be636d0a130870f6be17130378422b803742ba8
SHA2560e2b963e6f42ff17b85a173d0e3406193b44dfab46a85d7cd959e7d6e45d8851
SHA51248806f65786c8080f7623daffee18bdd396bbe51975564010f168c202699b833c04a70af82bd1a5f6e04e39fe2ee0d58b58625adf031b6fd02add4bedc63379c
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
839KB
MD58858584011af51a30c31b647e63d82c0
SHA17f850261de72d27eb034cb8cc159797fa0a57a1b
SHA256e8b291c937c8b8a3bacea98fc24efed3b7c48367f796c978d6563f3a4d23e378
SHA512e61107cc426fe2545869b5f719a4298f66396a8a100efb569f60102dd73d165cb090508d44dabb208e365c378fc07bd52fa03464c7e9f09c001d033dd6493416
-
Filesize
1.1MB
MD556b83c068dc6c8df9c02236e9587cd42
SHA19803091206a0fff470768e67577426cce937a939
SHA256678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb
-
Filesize
640KB
MD5b17be9c9cd31a7c69c5dccc4222f3241
SHA10c4f24a70c3f555d8ebee3397a850a08f68051d1
SHA25645c0c53b6d1c5d7694e381ae14a6cd19e44d54dddb7c4aac00fe5fba9483b9ea
SHA512ff0884a00096e018008b5b50876ef6345959eaea8f5a0945a748070df87824ffb47566c50fc1474bf7f988801ffbc8a5c04e273483ee93615de027890efc3787
-
Filesize
128KB
MD5951c5cff24d9852fc47e239f8a3184b0
SHA126b6c602a93093326446761e3a07a8e69de981c8
SHA256fa7c173d6b452a5f897508c293ee962960c70e5789697f13b9dd630d5398c0a7
SHA512f93dd3849427551a16af746c38fb295c90b6d6c0e2460fd778ce600071eb6968b4659031cb541ac833223506cedc43312f99d1682a06347ae6862ca2374a684e
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
1.4MB
MD58968359e460df9992c18c113c1c17674
SHA11370811cb82506f311c9ea7564df9a0029bd2265
SHA256da196e9c74d5f55018e8b34e506f8d15dafaff07ad297215139e28bc2f11f07c
SHA512cc9ce4a2cf680d5bf9945ee00600877e4a28a940888e6e9db90b431469f2a926fb386a4cb98243d60da4ad52353088d156a6815b1335e6b9077ed04a13e9f7d3