Analysis
-
max time kernel
55s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 13:01
Static task
static1
Behavioral task
behavioral1
Sample
056d02ea6dc581ad442aee7313ac4a3b.exe
Resource
win7-20240221-en
General
-
Target
056d02ea6dc581ad442aee7313ac4a3b.exe
-
Size
254KB
-
MD5
056d02ea6dc581ad442aee7313ac4a3b
-
SHA1
700f0c0942dbe394c770af54034460f5890081bd
-
SHA256
ea98c56328b0659d7bfe4a2a04cb0a4c6c10ad5ce9f05c305b9264f305095c86
-
SHA512
d5f3510f604cf8fe33f5055e490c14a1952f8ae2a66c3ae5a24e7e90783c48e7c7d5774b1dc8e17391a9c3c9551f523ffd9693ffb0263dff05621ad3cd8c6190
-
SSDEEP
3072:nTyaDCKblRBnWMG9ZVeQfLYbEtbtExMub+nf0LOAtmAGqTgREilXzdQ5zpq/:GHMNU2Qf0gtKxR+nfEmAdT2EihJ2k
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Extracted
smokeloader
pub1
Signatures
-
Glupteba payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2212-186-0x0000000002B70000-0x000000000345B000-memory.dmp family_glupteba behavioral1/memory/2212-187-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2212-273-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2736-301-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2736-318-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2100-324-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1080 netsh.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 1380 -
Executes dropped EXE 12 IoCs
Processes:
B8D4.exeB8D4.exeCF32.exeD358.exeDBD1.exeDBD1.tmpF980.exeFF0C.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exepid process 2644 B8D4.exe 2756 B8D4.exe 2472 CF32.exe 2924 D358.exe 2812 DBD1.exe 1608 DBD1.tmp 1268 F980.exe 2272 FF0C.exe 2212 288c47bbc1871b439df19ff4df68f076.exe 1292 InstallSetup4.exe 2132 FourthX.exe 1632 BroomSetup.exe -
Loads dropped DLL 19 IoCs
Processes:
B8D4.exeDBD1.exeDBD1.tmpWerFault.exeF980.exeInstallSetup4.exeregsvr32.exepid process 2644 B8D4.exe 2812 DBD1.exe 1608 DBD1.tmp 1608 DBD1.tmp 1608 DBD1.tmp 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1900 WerFault.exe 1608 DBD1.tmp 1900 WerFault.exe 1268 F980.exe 1268 F980.exe 1268 F980.exe 1268 F980.exe 1268 F980.exe 1292 InstallSetup4.exe 1552 regsvr32.exe 1292 InstallSetup4.exe -
Processes:
resource yara_rule behavioral1/memory/2756-25-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2756-28-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2756-29-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2756-30-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2756-31-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2756-32-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2756-107-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2756-134-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2756-181-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
B8D4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" B8D4.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
D358.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 D358.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
B8D4.exedescription pid process target process PID 2644 set thread context of 2756 2644 B8D4.exe B8D4.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 3552 sc.exe 4884 sc.exe 3512 sc.exe 2684 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1900 2472 WerFault.exe CF32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
056d02ea6dc581ad442aee7313ac4a3b.exeFF0C.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 056d02ea6dc581ad442aee7313ac4a3b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 056d02ea6dc581ad442aee7313ac4a3b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 056d02ea6dc581ad442aee7313ac4a3b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FF0C.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FF0C.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI FF0C.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
056d02ea6dc581ad442aee7313ac4a3b.exepid process 2956 056d02ea6dc581ad442aee7313ac4a3b.exe 2956 056d02ea6dc581ad442aee7313ac4a3b.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
056d02ea6dc581ad442aee7313ac4a3b.exeFF0C.exepid process 2956 056d02ea6dc581ad442aee7313ac4a3b.exe 2272 FF0C.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1380 Token: SeShutdownPrivilege 1380 Token: SeShutdownPrivilege 1380 Token: SeShutdownPrivilege 1380 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DBD1.tmppid process 1608 DBD1.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
B8D4.exeDBD1.exeCF32.exeF980.exeregsvr32.exedescription pid process target process PID 1380 wrote to memory of 2644 1380 B8D4.exe PID 1380 wrote to memory of 2644 1380 B8D4.exe PID 1380 wrote to memory of 2644 1380 B8D4.exe PID 1380 wrote to memory of 2644 1380 B8D4.exe PID 2644 wrote to memory of 2756 2644 B8D4.exe B8D4.exe PID 2644 wrote to memory of 2756 2644 B8D4.exe B8D4.exe PID 2644 wrote to memory of 2756 2644 B8D4.exe B8D4.exe PID 2644 wrote to memory of 2756 2644 B8D4.exe B8D4.exe PID 2644 wrote to memory of 2756 2644 B8D4.exe B8D4.exe PID 2644 wrote to memory of 2756 2644 B8D4.exe B8D4.exe PID 2644 wrote to memory of 2756 2644 B8D4.exe B8D4.exe PID 2644 wrote to memory of 2756 2644 B8D4.exe B8D4.exe PID 2644 wrote to memory of 2756 2644 B8D4.exe B8D4.exe PID 1380 wrote to memory of 2472 1380 CF32.exe PID 1380 wrote to memory of 2472 1380 CF32.exe PID 1380 wrote to memory of 2472 1380 CF32.exe PID 1380 wrote to memory of 2472 1380 CF32.exe PID 1380 wrote to memory of 2924 1380 D358.exe PID 1380 wrote to memory of 2924 1380 D358.exe PID 1380 wrote to memory of 2924 1380 D358.exe PID 1380 wrote to memory of 2924 1380 D358.exe PID 1380 wrote to memory of 2812 1380 DBD1.exe PID 1380 wrote to memory of 2812 1380 DBD1.exe PID 1380 wrote to memory of 2812 1380 DBD1.exe PID 1380 wrote to memory of 2812 1380 DBD1.exe PID 1380 wrote to memory of 2812 1380 DBD1.exe PID 1380 wrote to memory of 2812 1380 DBD1.exe PID 1380 wrote to memory of 2812 1380 DBD1.exe PID 2812 wrote to memory of 1608 2812 DBD1.exe DBD1.tmp PID 2812 wrote to memory of 1608 2812 DBD1.exe DBD1.tmp PID 2812 wrote to memory of 1608 2812 DBD1.exe DBD1.tmp PID 2812 wrote to memory of 1608 2812 DBD1.exe DBD1.tmp PID 2812 wrote to memory of 1608 2812 DBD1.exe DBD1.tmp PID 2812 wrote to memory of 1608 2812 DBD1.exe DBD1.tmp PID 2812 wrote to memory of 1608 2812 DBD1.exe DBD1.tmp PID 2472 wrote to memory of 1900 2472 CF32.exe WerFault.exe PID 2472 wrote to memory of 1900 2472 CF32.exe WerFault.exe PID 2472 wrote to memory of 1900 2472 CF32.exe WerFault.exe PID 2472 wrote to memory of 1900 2472 CF32.exe WerFault.exe PID 1380 wrote to memory of 1268 1380 F980.exe PID 1380 wrote to memory of 1268 1380 F980.exe PID 1380 wrote to memory of 1268 1380 F980.exe PID 1380 wrote to memory of 1268 1380 F980.exe PID 1380 wrote to memory of 2272 1380 FF0C.exe PID 1380 wrote to memory of 2272 1380 FF0C.exe PID 1380 wrote to memory of 2272 1380 FF0C.exe PID 1380 wrote to memory of 2272 1380 FF0C.exe PID 1268 wrote to memory of 2212 1268 F980.exe 288c47bbc1871b439df19ff4df68f076.exe PID 1268 wrote to memory of 2212 1268 F980.exe 288c47bbc1871b439df19ff4df68f076.exe PID 1268 wrote to memory of 2212 1268 F980.exe 288c47bbc1871b439df19ff4df68f076.exe PID 1268 wrote to memory of 2212 1268 F980.exe 288c47bbc1871b439df19ff4df68f076.exe PID 1380 wrote to memory of 1120 1380 regsvr32.exe PID 1380 wrote to memory of 1120 1380 regsvr32.exe PID 1380 wrote to memory of 1120 1380 regsvr32.exe PID 1380 wrote to memory of 1120 1380 regsvr32.exe PID 1380 wrote to memory of 1120 1380 regsvr32.exe PID 1120 wrote to memory of 1552 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1552 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1552 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1552 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1552 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1552 1120 regsvr32.exe regsvr32.exe PID 1120 wrote to memory of 1552 1120 regsvr32.exe regsvr32.exe PID 1268 wrote to memory of 1292 1268 F980.exe InstallSetup4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe"C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2956
-
C:\Users\Admin\AppData\Local\Temp\B8D4.exeC:\Users\Admin\AppData\Local\Temp\B8D4.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\B8D4.exeC:\Users\Admin\AppData\Local\Temp\B8D4.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\CF32.exeC:\Users\Admin\AppData\Local\Temp\CF32.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1242⤵
- Loads dropped DLL
- Program crash
PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\D358.exeC:\Users\Admin\AppData\Local\Temp\D358.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2924
-
C:\Users\Admin\AppData\Local\Temp\DBD1.exeC:\Users\Admin\AppData\Local\Temp\DBD1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp"C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp" /SL5="$70120,2248936,56832,C:\Users\Admin\AppData\Local\Temp\DBD1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\F980.exeC:\Users\Admin\AppData\Local\Temp\F980.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵PID:2736
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:616
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:1080
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:2100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵PID:2480
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- Creates scheduled task(s)
PID:2232
-
-
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:564
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsj3999.tmpC:\Users\Admin\AppData\Local\Temp\nsj3999.tmp3⤵PID:1092
-
-
-
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵PID:2676
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:3552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3604
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:4812
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:4884
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:3512
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:2684
-
-
-
C:\Users\Admin\AppData\Local\Temp\FF0C.exeC:\Users\Admin\AppData\Local\Temp\FF0C.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2272
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\CD3.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\CD3.dll2⤵
- Loads dropped DLL
PID:1552
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227130210.log C:\Windows\Logs\CBS\CbsPersist_20240227130210.cab1⤵PID:2516
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵PID:1584
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:4100
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960KB
MD5cf71d723e6a3a2abdb69313657a0862f
SHA19fae6ddc3f0a9e3c874a278435946d83f3f9ab1c
SHA256ed443d39cd06137b2b8c8a54057b8a855a84960f41c4bb53ed81028293dfe125
SHA512b140ee2a326a7727c80b3c817f266a6f3299102d113cdecf674f70613e90f83b4466fec1b91a3639cc5722e6d5b6c3baabe46d8dabc330c881a5732b32d36d6e
-
Filesize
128KB
MD5550ee7188c527b01bfa4d015377d121c
SHA144c45f90daaef2f68d08512a79d0efa86a748f4b
SHA256b236c2da74955dc9bcd4fc696ae78f49edbbc6f06aacaa80f0246da3deb3265d
SHA512677f8a65ca34a290ce916d13966f0511875d5cfc12cc0983d7463a64047528a2407eb62ca8cae392452d06e756b9d07014af52c92d91ec61264c2005468f2a1a
-
Filesize
1.8MB
MD505289f5848a855ff3d7a78b862498e26
SHA11021a66f15e425f33047d76a247680e916e736b0
SHA2569c6d6f161b0253f9a78cd099ed0aa225b6ac00d3801859ff7405abd08b501407
SHA51246265b61d4bdaeaf8af057fe5d49062f69b5ba7ca28198724c0767750af9705bf2f203183b7d33713ba45a9a02009539c5a2253ba567e7b4a4c0a79e85c200a7
-
Filesize
4.1MB
MD5d122f827c4fc73f9a06d7f6f2d08cd95
SHA1cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA5128755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986
-
Filesize
2.6MB
MD55dda57f208bce79bb557eca7195d8b84
SHA12b28b1da149bd869169bc72fc27aac195ec7b5cf
SHA256bcc4c28be2fd1c79527cdc8ff8b772cb78cdcef55aec63a4c22b94ffbc561a1e
SHA512bc14a9aebfa4e7df0f5442810376328d98261653aaf7a5902ec4a32ade85f2bbd2e219ef1f4181f00fa32cf9dbb702a2ca3e2465c959d3b6b379bb9d3a9f8bf5
-
Filesize
5.2MB
MD59bcaea6efb5a1f9f39602d3975f9c20b
SHA1eebbfc1bd15fd1461bc669b3c83407d76369b65a
SHA256ebf099babce34f2e26cf09093973ecd055677fc11ce468f864a778b97ee62fce
SHA51213d3e9f4aee201640a66fea27ae3ed60e22365f0a20c97fff4f7c098a84bce0dda39573228ec76f44907767a2075b7e5173b9afab21db26a6e906e33a07402c3
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
933KB
MD5dd22fa3503a193f07332b55be4281baf
SHA1515a34abc727f94df4cf2a904517a2fb843d22df
SHA256488ea9cd85ff26069e7058656761e545cba1ecadd1dec8138056d20b6817890b
SHA51218efbcb3b6abe156b159bf1df561473e9fb346920cc29f6db61521c83be5c27820ba80b8e36e501182dc47d7568996e5b13999c160684a71769d84ce759c7b9f
-
Filesize
1024KB
MD52ca32a64d491385b9191b77cd9e1245e
SHA13689280aeae1870caec7d5a32c5b0ae6be4f310a
SHA256eee6f86fc319c64e0ea3af8103d282a73fb604af3b1516b1ebc4141cd3039fae
SHA512a004e023c9103608b17d2c9454dd6bc328b3d15a1c86effdfc04eb18d739453f77627b950ebf3be18ae9498ca7029985e60be294398884d153e50a233d9b455f
-
Filesize
1.2MB
MD5286796d0050225040303192dffc1c4ef
SHA1daef291b3941387fee3ced03d44a4e254dfec217
SHA2561546488b5733038151f0c4f8e946afc1cc87990b51a4f191b0911d6705ba6e24
SHA51204d623a2fe9fa8ec639b9c0ba467f5a2929992f514a1885f943a93401da94ab50ff1c9e0b3ac3e86b79ea570b7010583fbcca062612e28161a1ac0b62b6b56b8
-
Filesize
6.2MB
MD598032e01a07b787b4416121c3fdf3ae5
SHA165c8dc24c8b5d416c1e51105e190c440762069f3
SHA2568ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA5123db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb
-
Filesize
554KB
MD5a1b5ee1b9649ab629a7ac257e2392f8d
SHA1dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA2562bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA51250ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b
-
Filesize
2.5MB
MD58b0b0943877aa89cf021d5d5e2cbb1aa
SHA17a64ea593c231fb4b1d7c584980a6650960ac32b
SHA256b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905
SHA512d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc
-
Filesize
7.5MB
MD5734d6855b16661cb69bb5b6a90090d31
SHA1a2e7b1d00195979d861545c2265bbb34fd270322
SHA2566a66918218c3d4e21661fa9c5ce4e9b173bd7efd59401d58b5feb09f84f5736e
SHA512a42c2144441453672dfcd44c213e2308e0a3eb7b7bd5800fdbc6d527dbcf45dcf864acf768e13acee5440957a6579a011295202cec42d78a2b766805ff654ddf
-
Filesize
8.2MB
MD5eee536f4a6ede82f65053565a4fd8ad2
SHA1699dad222c2b27e99e5d1f31230b981701257d51
SHA25689d9b8ec8b0ded42c487fe899692d672b76ac937abc8a59155c4317165b9fb52
SHA512c8a3bcdd8c522006abbf3525cb26cefd2c565fd2306b9999362d8932c938d47637e74d12054e47dbfcf5437204d02248fd035951a9f52382be1989b8341585e5
-
Filesize
246KB
MD5b2c14d5c21130dc795b521206c0b97d4
SHA13cfe837b022d15fd869e6262813e38ed8efb92dc
SHA256ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37
SHA512bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107
-
Filesize
192KB
MD56a190e993f065d939995adfdb07cc8a1
SHA19664f606593178eb502cc38b5431189cc4c2cd5e
SHA2566c8188b31f1c40c05d61e65ea787b2fdde140b631a41a72318d33c5ca475df21
SHA512a6c1421c487bb344f8bb7ebe9cf2ac2a72cea9c9b70fd9a4092f0891e2de2a3f8150f7ad213bd46300639f21649c79a8360ab917833cbfcb7460bc06de2d17e2
-
Filesize
1.2MB
MD55ca7fc407124217ed4ac456d5369e951
SHA15defeaea509bafe38005a9232d94282b59525ef3
SHA256dff322ad2a276c1108b45e701c5af4f94a664fb25b72e95b3b29b60bd034a120
SHA512dacc7e70b13b59f4dc7d47f2b254c510d6603f1c3cb59213569cc267057beb2a8952dc5fd1fda2fe3747d94144c1526c85c454af9e7a6e47a0c41f40cbd5f572
-
Filesize
832KB
MD5b29cd31f15d37cebbe2804adc62ce2e9
SHA1e036f370e3b9a849609823c1cf295c07968b91a0
SHA256082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2
SHA5122a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4
-
Filesize
832KB
MD5f75b9beec810c7d22ac06871935465cc
SHA102a949c1e44035114022079454555c9c145bf8fb
SHA256edbe5331590b5dd47a67f9546820b96f3f2b4590cd4444ec6e6185762c6a2182
SHA512e2e8b13f7e69d46fd1d3a08e08ef0bf661dc690df37583ea653321ac05ccc717a716ec9ac1670e574a87e70c8096bce538b976d7fbb4af9f46cf5c1ad598a37c
-
Filesize
1.1MB
MD50159c753801f7e27ae10b8527805eb8c
SHA1aa87fef2ddf7159ae08194089e4d4178d5dbe009
SHA256db2b1d24d4ae5442db39be1d3aae8329b9a2c752e402fb6669b27343c15ccd8c
SHA5124fd68d99b5bada4e40c271b50f27b5f5e7ae330609a05087eca6cc0ff8e746487de43ca322f80d26f843e06e31d53d5cf4d0a1d8ec1bf455cc901e967cd54c3a
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
3.6MB
MD5e75541c5590c89a0fe3e54389fb55206
SHA190f859047ad79a70a663c4fd7644123aadc8da32
SHA25688ede6ceb2f99ea6e72def366135b52fc54e7b9044c4ec11909f01fd354831de
SHA5127504346951cdc9e42ea1a6cd11cd26d6602b58751b80f989dfe45cf24821fd40bf7152bf7aef3a3a36a1a8efde595f67ea0a3973f4b7e5fd2e5770d786f0b18a
-
Filesize
832KB
MD5b8c50d741d429e4cd6210293c0f0d881
SHA1059f1aa663f344b66b7ab96bd092bfd08ef6b091
SHA256862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b
SHA512b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096
-
Filesize
1.1MB
MD537a34cf341124d12f66711d65b92f63f
SHA185457cebf25e771ccb5179768e19698044b7d19a
SHA2567e1549fbe0bd82d5a7fd18a47e3f1b018362a7e76efd6a14b156a7dcf203c79f
SHA5120db2f1b87f4fc1adf077fa94dc3e16f036f70b72ed40533ee84cead602b1229ebd3902b3989d33e4306d7057b2cab572ed02b5d16a36ab8fc7de6f8aa400c091
-
Filesize
1024KB
MD5f26249769d27c4988588974f0afc5ad0
SHA1e8b18cd33637ba0baebb2e1e0140103debcc264a
SHA256473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363
SHA512805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd
-
Filesize
256KB
MD5d8fd6ee086168ae33101a622914ea1aa
SHA1087e83ecd19f56d7e1613dd3ec4397790a56bcdc
SHA2568c83aa0ca592ee93a216ce28bb14385acafe2568df56ad4b28a8d2e36e32ed3d
SHA51284227739f05c24c889086a4ec8ca1b92b62d85fb687a49c13024fe223129bb4af98cec4ddf1cf72c0ca0f5b63f3a55a3b3e01c97f4a34eba0dedd3f9da86bfde
-
Filesize
896KB
MD5c0edb4bdfa9609b484821a931dcb20df
SHA1670337c951b8db965c0f96fc2c8ba31233311346
SHA256aefb25d522bf71ea8eea24172f27dfcf3759a2c2b3bd1ba8c019a41adc554c50
SHA512e7380f25d992bcd687aa281f525600debd31802b3fc594d02f3ded4d1e9150714474a0be90e4a1b6853ba4bfb0295106fedef5d85dd3d2f1f095ac1f566f93b9
-
Filesize
704KB
MD5d88cfcec577f4802c42cb752a315474a
SHA1ff66289dd3da72eac2923869e669dd6c64b2b2fe
SHA256a3ee7cd13efaadc84d9d74ffcb95a5baf5a9af2e0eea8f7344a36526c7f2974e
SHA5121a4f7611ecf3751d1fdba2e0af20d88e059f951e0e89559c9029f2ed8499fcfe77544cdd206d5953a954987a0fc409f38da5f656aeb49b547941989e4337c0c4
-
Filesize
1.1MB
MD55da4883f8ac78d69d47b1dfe11e520e3
SHA100cb082add96a09d6afcd6bbe1f00f640c5efb14
SHA256efa199532e7cedab9c86e7d7341d4d1f5fcf9efc26878babd7e23d82e1bfc646
SHA512d86889c8514b7798ab8b4f311e90f417e4ca5a2605f8cba383cc3d89d82cc7ad01558117b5ed69e65c29e51f2aabcde94290ae75089f084c1dc0e972d9efcee2
-
Filesize
1024KB
MD5eaa244bcc280805a06303b283c342413
SHA122bf3cecb67b58a2b8f506a7e0e3e9c2a50c7fa1
SHA256dedccef043421417a11bdd1623f8ded11939c6f7ac2ba82d62facb75226549cc
SHA51291e34d6e4a035566fd4579d74e68b02e2721ad839ee080c17b0c455ec52cc8e32a85493b3d81edbcd43bc02d5942326471d4c7330f433fe33b486c540d6f071e
-
Filesize
1.8MB
MD5f7744affd3a2d6e411a04434f376915a
SHA1f782e667ac2f1f55ccdb2be6b1e6c03f92a81c4f
SHA2563b2ee23621b23af2609e0c206510f002927a69f86dcc806e489795740f7853b9
SHA5127821bd32412521ebca8cb5eeaff3f73d9e273a3f7b15b86acd45f25bd78f43bb6d390f9e51152e98a3926abaea922303a34ce8be0b0e6b296a5a689486ed3e26
-
Filesize
768KB
MD5e57b67d14aa175312da3f5a69294668e
SHA101618135f1a7177023c59fd8d1fed58e03c59945
SHA256170a9e9bf03a35b9d62cc43bcd485ca87482e0dab5ce1a6eaa1a38c0f73425da
SHA5120fdcc9b5a2018c67c2cb7019e8684f9f44d5af83d36cde827d38c1fc35def799af6a056d0bf023a6f164f7b87a281cb7816c433221e3068357e7d65e96b4f299
-
Filesize
2.0MB
MD528b72e7425d6d224c060d3cf439c668c
SHA1a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA5123e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
19KB
MD53adaa386b671c2df3bae5b39dc093008
SHA1067cf95fbdb922d81db58432c46930f86d23dded
SHA25671cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
690KB
MD5a1b45df2ed6b73416fdf10a62a69f8f0
SHA1053d566b3d1d4ec47d4dff670611a20802b1a366
SHA2560f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d
SHA512bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
246KB
MD5da812d63d6637fbc245339e746ccf1f9
SHA11d5c645e81e96606b26aa56526fb0022bb68c4b0
SHA2564f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba
SHA51205579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177
-
Filesize
4.1MB
MD5630dfa44d79eae6e77011c43d36944af
SHA10b3fb8ed546593cd92b6128761edbffad633ae81
SHA256806fae64d18d87b7d9829ef0d3417a39c95ac0e52b9f88725439d602265eb0ed
SHA512bb1aa89c27c751c6e1b4056a3dc73b6804ba19100cf0f6dfdfebac783931cf5d7d06961bf94997cd3ee8396efb33d143883b0b77af402e2ac5f6106b36c74248