Analysis
-
max time kernel
129s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 03:53
Static task
static1
Behavioral task
behavioral1
Sample
mw3reaper.rar
Resource
win10v2004-20240226-en
General
-
Target
mw3reaper.rar
-
Size
13.2MB
-
MD5
c77fd8185dd3fe2ee5672a0531c4b3c7
-
SHA1
7e321783026506c06cd3c34dabdb2ec4f277d17b
-
SHA256
11c712b2b16eeb1652793fc8bad16d9177ef161398dceb95e136f8f2a349e56c
-
SHA512
b0c3696a406a34b5a1e7cf8413d416251959006162901a7934054f09f0b909e2e582ce215dd97b8f7170b47c5d054f95ea9109d1cbcff67c69844e89125dce7b
-
SSDEEP
393216:UN0mmXrXBwtGmoWtJVKSJgNn3TeGKLCM3v:UN8rXetGTWtJNJgNnDI/
Malware Config
Signatures
-
Cerber 5 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
description ioc pid Process 4044 taskkill.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.exe Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} AMIDEWINx64.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation OHT1k0.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation UQoK.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation tXauTiJr.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation tXauTiJr.exe -
Executes dropped EXE 8 IoCs
pid Process 2940 tXauTiJr.exe 2776 AMIDEWINx64.exe 3752 AMIDEWINx64.exe 3024 OHT1k0.exe 704 UQoK.exe 3272 tXauTiJr.exe 3812 AMIDEWINx64.exe 2060 AMIDEWINx64.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 OHT1k0.exe File opened for modification \??\PhysicalDrive0 UQoK.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 3024 OHT1k0.exe 3024 OHT1k0.exe 704 UQoK.exe 704 UQoK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 4 IoCs
pid Process 3024 taskkill.exe 4960 taskkill.exe 5020 taskkill.exe 4044 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3024 OHT1k0.exe 704 UQoK.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3148 7zFM.exe 3148 7zFM.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3024 OHT1k0.exe 3148 7zFM.exe 3148 7zFM.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe 704 UQoK.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3148 7zFM.exe 704 UQoK.exe -
Suspicious behavior: LoadsDriver 4 IoCs
pid Process 640 Process not Found 640 Process not Found 640 Process not Found 640 Process not Found -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeRestorePrivilege 3148 7zFM.exe Token: 35 3148 7zFM.exe Token: SeSecurityPrivilege 3148 7zFM.exe Token: SeDebugPrivilege 4044 taskkill.exe Token: SeDebugPrivilege 3024 taskkill.exe Token: SeSecurityPrivilege 3148 7zFM.exe Token: SeSecurityPrivilege 3148 7zFM.exe Token: SeSecurityPrivilege 3148 7zFM.exe Token: SeDebugPrivilege 4960 taskkill.exe Token: SeDebugPrivilege 5020 taskkill.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 3148 7zFM.exe 3148 7zFM.exe 3148 7zFM.exe 3024 OHT1k0.exe 3148 7zFM.exe 704 UQoK.exe 3148 7zFM.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3272 tXauTiJr.exe 3812 AMIDEWINx64.exe 2060 AMIDEWINx64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 3148 1684 cmd.exe 90 PID 1684 wrote to memory of 3148 1684 cmd.exe 90 PID 3148 wrote to memory of 2940 3148 7zFM.exe 106 PID 3148 wrote to memory of 2940 3148 7zFM.exe 106 PID 2940 wrote to memory of 1116 2940 tXauTiJr.exe 108 PID 2940 wrote to memory of 1116 2940 tXauTiJr.exe 108 PID 2940 wrote to memory of 1392 2940 tXauTiJr.exe 109 PID 2940 wrote to memory of 1392 2940 tXauTiJr.exe 109 PID 2940 wrote to memory of 1124 2940 tXauTiJr.exe 110 PID 2940 wrote to memory of 1124 2940 tXauTiJr.exe 110 PID 2940 wrote to memory of 3132 2940 tXauTiJr.exe 111 PID 2940 wrote to memory of 3132 2940 tXauTiJr.exe 111 PID 2940 wrote to memory of 4588 2940 tXauTiJr.exe 112 PID 2940 wrote to memory of 4588 2940 tXauTiJr.exe 112 PID 4588 wrote to memory of 4044 4588 cmd.exe 114 PID 4588 wrote to memory of 4044 4588 cmd.exe 114 PID 2940 wrote to memory of 5004 2940 tXauTiJr.exe 118 PID 2940 wrote to memory of 5004 2940 tXauTiJr.exe 118 PID 5004 wrote to memory of 2776 5004 cmd.exe 121 PID 5004 wrote to memory of 2776 5004 cmd.exe 121 PID 2940 wrote to memory of 3700 2940 tXauTiJr.exe 122 PID 2940 wrote to memory of 3700 2940 tXauTiJr.exe 122 PID 3700 wrote to memory of 3752 3700 cmd.exe 124 PID 3700 wrote to memory of 3752 3700 cmd.exe 124 PID 2940 wrote to memory of 4972 2940 tXauTiJr.exe 125 PID 2940 wrote to memory of 4972 2940 tXauTiJr.exe 125 PID 4972 wrote to memory of 3024 4972 cmd.exe 127 PID 4972 wrote to memory of 3024 4972 cmd.exe 127 PID 2940 wrote to memory of 1476 2940 tXauTiJr.exe 128 PID 2940 wrote to memory of 1476 2940 tXauTiJr.exe 128 PID 2940 wrote to memory of 2240 2940 tXauTiJr.exe 130 PID 2940 wrote to memory of 2240 2940 tXauTiJr.exe 130 PID 2940 wrote to memory of 1028 2940 tXauTiJr.exe 132 PID 2940 wrote to memory of 1028 2940 tXauTiJr.exe 132 PID 2940 wrote to memory of 2136 2940 tXauTiJr.exe 135 PID 2940 wrote to memory of 2136 2940 tXauTiJr.exe 135 PID 3148 wrote to memory of 3024 3148 7zFM.exe 136 PID 3148 wrote to memory of 3024 3148 7zFM.exe 136 PID 3024 wrote to memory of 704 3024 OHT1k0.exe 137 PID 3024 wrote to memory of 704 3024 OHT1k0.exe 137 PID 3272 wrote to memory of 3600 3272 tXauTiJr.exe 144 PID 3272 wrote to memory of 3600 3272 tXauTiJr.exe 144 PID 3272 wrote to memory of 4052 3272 tXauTiJr.exe 145 PID 3272 wrote to memory of 4052 3272 tXauTiJr.exe 145 PID 3272 wrote to memory of 5032 3272 tXauTiJr.exe 146 PID 3272 wrote to memory of 5032 3272 tXauTiJr.exe 146 PID 3272 wrote to memory of 4180 3272 tXauTiJr.exe 147 PID 3272 wrote to memory of 4180 3272 tXauTiJr.exe 147 PID 3272 wrote to memory of 1156 3272 tXauTiJr.exe 148 PID 3272 wrote to memory of 1156 3272 tXauTiJr.exe 148 PID 1156 wrote to memory of 4960 1156 cmd.exe 150 PID 1156 wrote to memory of 4960 1156 cmd.exe 150 PID 3272 wrote to memory of 3980 3272 tXauTiJr.exe 151 PID 3272 wrote to memory of 3980 3272 tXauTiJr.exe 151 PID 3980 wrote to memory of 3812 3980 cmd.exe 153 PID 3980 wrote to memory of 3812 3980 cmd.exe 153 PID 3272 wrote to memory of 1468 3272 tXauTiJr.exe 154 PID 3272 wrote to memory of 1468 3272 tXauTiJr.exe 154 PID 1468 wrote to memory of 2060 1468 cmd.exe 156 PID 1468 wrote to memory of 2060 1468 cmd.exe 156 PID 3272 wrote to memory of 5068 3272 tXauTiJr.exe 157 PID 3272 wrote to memory of 5068 3272 tXauTiJr.exe 157 PID 5068 wrote to memory of 5020 5068 cmd.exe 159 PID 5068 wrote to memory of 5020 5068 cmd.exe 159
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mw3reaper.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\mw3reaper.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\7zOC4CA27A7\tXauTiJr.exe"C:\Users\Admin\AppData\Local\Temp\7zOC4CA27A7\tXauTiJr.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:1124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3132
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe5⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS %RANDOM%%RANDOM%%RANDOM%4⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 3083229324110875⤵
- Cerber
- Executes dropped EXE
PID:2776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV %RANDOM%%RANDOM%%RANDOM%4⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3083229324110875⤵
- Cerber
- Executes dropped EXE
PID:3752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys4⤵PID:1476
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys4⤵PID:2240
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe4⤵PID:1028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2136
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\OHT1k0.exe"C:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\OHT1k0.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\UQoK.exeC:\Users\Admin\AppData\Local\Temp\7zOC4CD4708\UQoK.exe -asec -upd -rmf=433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f377a4f43344344343730382f4f4854316b302e6578654⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:704
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2776
-
C:\Users\Admin\Desktop\tXauTiJr.exe"C:\Users\Admin\Desktop\tXauTiJr.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS %RANDOM%%RANDOM%%RANDOM%2⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 3106716777193553⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV %RANDOM%%RANDOM%%RANDOM%2⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 310712752544523⤵
- Cerber
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TASKKILL /F /IM WmiPrvSE.exe2⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys2⤵PID:1584
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys2⤵PID:2232
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe2⤵PID:4188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1320
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
452KB
MD5c4d09d3b3516550ad2ded3b09e28c10c
SHA17a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA25666433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA5122e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2
-
Filesize
18KB
MD5785045f8b25cd2e937ddc6b09debe01a
SHA1029c678674f482ababe8bbfdb93152392457109d
SHA25637073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA51240bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
299B
MD55ae8478af8dd6eec7ad4edf162dd3df1
SHA155670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD5d18149dc2bb5b2cf79500f710e8efad8
SHA1298d3fb5fe8759b21d4b86628e9a31fc19ac189e
SHA256a553877744f868dbfb1bb5925973d759be62981b29df117d9cc72663eb1cf6a1
SHA51224e15c2b263244fe9e10dd36ea04513d9470289285d8fa1bb0c7a9421c4ca3004e5de6fbfa543813746529a447562f0b142e98ff13a5c4b46a1ee66598be628c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize192B
MD5769d83fdd270399eba8b64b100bb0df6
SHA1ec550e006b8ff1d07e9d71c21e99e85e873b1e20
SHA256a31fb500cf0585744ae32a4f4fd20dbb8e94f74204d87709ecc20477ab282072
SHA512a6bf1f3bdfe6ec1f1c88afcb8843fe373dc2085b14e4ab31995119ec0719aa7e4c3940f542618fb1f0a2714c5e563d393cf8e4bcbf4b88a61e42db4e11df1728
-
Filesize
521KB
MD5464c348f1bdf66a75c6b0d51256e916c
SHA1fa7f683e451ab0a0c6c18a4dde7b9bbdde72ff27
SHA256a58b1f94ba24a2d7f06c2b7a9840243c4e1b75b1b580cf1ce4c5d9af69cedc85
SHA512cb07284fd3d33eef29f761fd0d044a9143b9e934eff49a625290c4da23580c1b0bb1f4cd9d5e574c698fbf791d13aa476be2a550baebb4f925ef019015710233
-
Filesize
7.1MB
MD5fd35c43f08143bc15254636083e8c71c
SHA1695640894e59171cd37ffd51165470bc1299f063
SHA25693abb3ad34e9eb7f00499ba1bbb6c36ac90f4d4e141ecfe1c15cb64808ac82c8
SHA5122dbcab7c5f91169006b8476841b10a250e08b07a7c6ffc6d5187f4a426d04b5ed2acf586ceb4df6711212463faa8367b57b5f948ba5e745d38e058be3d063d70
-
Filesize
3.1MB
MD5036ff2ce88a8740a290249a8769a4009
SHA180d34b8cdfc4988fbd41fabfad9e2bc25592253e
SHA256fc0fcced5d2b95b0a32332025d6e52815223cfe728bc40ef9518f8576e97d46d
SHA512f1ff74c8c7c153d2a1c7582f75c3ea52b4c8df685bd89be72fabe22b9c239db092960f039e7a7e52d6cedf9fcf9fce4b6ee5e4d8b5e73e4116dd5e8a022d1e76
-
Filesize
3.1MB
MD555f9c3a4814f20c8ce9a03e0b5dd1acd
SHA1e23f03bac746378dd95324f490dfb55847129805
SHA25609447b9011c7cdc98a96f09dd5f84848e8bb0bdb651bf3ee70acd792db89f113
SHA512edce7bb853de162c71070fe32da0f29b82b9b788be1431f658ec8713b8a3271ad54750d8ccb49e5cabd77e94ca2a5d78b3b7741a9bed439b9a957b8637d903a3
-
Filesize
13.6MB
MD5fe89bbbdb1d4bb71b176370b26b4d628
SHA10c0ed731f44d79e767955c70e6bd88755eb2830d
SHA25644ea5761c003fb8d888a446c5f7f9cb135aac463deb2efb20003307516395b85
SHA512a0113e323ab6ed4bac345aaad68745b9894ff364dc7129fe434b342b6ecae86a46e70efba55a8a6da389b34ecd7e378f0ebcce874f00567ebf6e661b79936bdf