Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 10:54
Static task
static1
Behavioral task
behavioral1
Sample
252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d.msi
Resource
win10v2004-20241007-en
General
-
Target
252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d.msi
-
Size
135.9MB
-
MD5
9bb81bdc5e28a397f25617a22b9e157d
-
SHA1
e9e78c22ff047b35c2a6691295a9df62de203df0
-
SHA256
252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d
-
SHA512
dc5678fd1441a5b65792f16ffc64694029f2b70dabcb4d54908121c2267d0f34b4de83d951a656267c80e288d9b0b0030d42572a7782d45762427be07c61483d
-
SSDEEP
3145728:9QlSw/0KksfWneWVr6/4J3DYgxqmz8CZCLLURIq3MmzJPeHeZ:GlSw/7ksOneWVm/CDYddLYIcMeZ
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2572-17545-0x0000000000400000-0x0000000001F96000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2572-17545-0x0000000000400000-0x0000000001F96000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: Vnfvn.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: Vnfvn.exe File opened (read-only) \??\S: Vnfvn.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: Vnfvn.exe File opened (read-only) \??\K: Vnfvn.exe File opened (read-only) \??\Z: Vnfvn.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: Vnfvn.exe File opened (read-only) \??\I: Vnfvn.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: Vnfvn.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: Vnfvn.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: Vnfvn.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: Vnfvn.exe File opened (read-only) \??\Q: Vnfvn.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: Vnfvn.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: Vnfvn.exe File opened (read-only) \??\M: Vnfvn.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: Vnfvn.exe File opened (read-only) \??\V: Vnfvn.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: Vnfvn.exe File opened (read-only) \??\Y: Vnfvn.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: Vnfvn.exe File opened (read-only) \??\W: Vnfvn.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Vnfvn.exe SoftUpdate.exe File opened for modification C:\Windows\SysWOW64\Vnfvn.exe SoftUpdate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs
pid Process 2572 SoftUpdate.exe 2572 SoftUpdate.exe 2572 SoftUpdate.exe 2572 SoftUpdate.exe 9492 Vnfvn.exe 9492 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Installer\f76e6c6.msi msiexec.exe File opened for modification C:\Windows\Installer\f76e6c6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE782.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE929.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIEBF9.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76e6c9.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE88C.tmp msiexec.exe File created C:\Windows\Installer\f76e6c9.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIEB3C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEC3A.tmp msiexec.exe -
Executes dropped EXE 6 IoCs
pid Process 2708 MSIEBF9.tmp 2772 MSIEC3A.tmp 2880 YoudaoDict_fanyiweb_navigation.exe 2572 SoftUpdate.exe 9492 Vnfvn.exe 12596 Vnfvn.exe -
Loads dropped DLL 12 IoCs
pid Process 2504 MsiExec.exe 2504 MsiExec.exe 2504 MsiExec.exe 2572 SoftUpdate.exe 2572 SoftUpdate.exe 2572 SoftUpdate.exe 2880 YoudaoDict_fanyiweb_navigation.exe 2880 YoudaoDict_fanyiweb_navigation.exe 2880 YoudaoDict_fanyiweb_navigation.exe 2880 YoudaoDict_fanyiweb_navigation.exe 2880 YoudaoDict_fanyiweb_navigation.exe 2880 YoudaoDict_fanyiweb_navigation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2316 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SoftUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vnfvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YoudaoDict_fanyiweb_navigation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vnfvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEBF9.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEC3A.tmp -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 12588 cmd.exe 10500 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vnfvn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Vnfvn.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Vnfvn.exe Key created \REGISTRY\USER\.DEFAULT\Software Vnfvn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Vnfvn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum Vnfvn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Vnfvn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Vnfvn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Vnfvn.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" Vnfvn.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Vnfvn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Vnfvn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Vnfvn.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Vnfvn.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 10500 PING.EXE -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 744 msiexec.exe 744 msiexec.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe 12596 Vnfvn.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeShutdownPrivilege 2316 msiexec.exe Token: SeIncreaseQuotaPrivilege 2316 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeSecurityPrivilege 744 msiexec.exe Token: SeCreateTokenPrivilege 2316 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2316 msiexec.exe Token: SeLockMemoryPrivilege 2316 msiexec.exe Token: SeIncreaseQuotaPrivilege 2316 msiexec.exe Token: SeMachineAccountPrivilege 2316 msiexec.exe Token: SeTcbPrivilege 2316 msiexec.exe Token: SeSecurityPrivilege 2316 msiexec.exe Token: SeTakeOwnershipPrivilege 2316 msiexec.exe Token: SeLoadDriverPrivilege 2316 msiexec.exe Token: SeSystemProfilePrivilege 2316 msiexec.exe Token: SeSystemtimePrivilege 2316 msiexec.exe Token: SeProfSingleProcessPrivilege 2316 msiexec.exe Token: SeIncBasePriorityPrivilege 2316 msiexec.exe Token: SeCreatePagefilePrivilege 2316 msiexec.exe Token: SeCreatePermanentPrivilege 2316 msiexec.exe Token: SeBackupPrivilege 2316 msiexec.exe Token: SeRestorePrivilege 2316 msiexec.exe Token: SeShutdownPrivilege 2316 msiexec.exe Token: SeDebugPrivilege 2316 msiexec.exe Token: SeAuditPrivilege 2316 msiexec.exe Token: SeSystemEnvironmentPrivilege 2316 msiexec.exe Token: SeChangeNotifyPrivilege 2316 msiexec.exe Token: SeRemoteShutdownPrivilege 2316 msiexec.exe Token: SeUndockPrivilege 2316 msiexec.exe Token: SeSyncAgentPrivilege 2316 msiexec.exe Token: SeEnableDelegationPrivilege 2316 msiexec.exe Token: SeManageVolumePrivilege 2316 msiexec.exe Token: SeImpersonatePrivilege 2316 msiexec.exe Token: SeCreateGlobalPrivilege 2316 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeRestorePrivilege 744 msiexec.exe Token: SeTakeOwnershipPrivilege 744 msiexec.exe Token: SeIncBasePriorityPrivilege 2572 SoftUpdate.exe Token: 33 12596 Vnfvn.exe Token: SeIncBasePriorityPrivilege 12596 Vnfvn.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2316 msiexec.exe 2316 msiexec.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 744 wrote to memory of 2504 744 msiexec.exe 32 PID 744 wrote to memory of 2504 744 msiexec.exe 32 PID 744 wrote to memory of 2504 744 msiexec.exe 32 PID 744 wrote to memory of 2504 744 msiexec.exe 32 PID 744 wrote to memory of 2504 744 msiexec.exe 32 PID 744 wrote to memory of 2504 744 msiexec.exe 32 PID 744 wrote to memory of 2504 744 msiexec.exe 32 PID 744 wrote to memory of 2708 744 msiexec.exe 33 PID 744 wrote to memory of 2708 744 msiexec.exe 33 PID 744 wrote to memory of 2708 744 msiexec.exe 33 PID 744 wrote to memory of 2708 744 msiexec.exe 33 PID 744 wrote to memory of 2708 744 msiexec.exe 33 PID 744 wrote to memory of 2708 744 msiexec.exe 33 PID 744 wrote to memory of 2708 744 msiexec.exe 33 PID 744 wrote to memory of 2772 744 msiexec.exe 34 PID 744 wrote to memory of 2772 744 msiexec.exe 34 PID 744 wrote to memory of 2772 744 msiexec.exe 34 PID 744 wrote to memory of 2772 744 msiexec.exe 34 PID 744 wrote to memory of 2772 744 msiexec.exe 34 PID 744 wrote to memory of 2772 744 msiexec.exe 34 PID 744 wrote to memory of 2772 744 msiexec.exe 34 PID 9492 wrote to memory of 12596 9492 Vnfvn.exe 39 PID 9492 wrote to memory of 12596 9492 Vnfvn.exe 39 PID 9492 wrote to memory of 12596 9492 Vnfvn.exe 39 PID 9492 wrote to memory of 12596 9492 Vnfvn.exe 39 PID 2572 wrote to memory of 12588 2572 SoftUpdate.exe 38 PID 2572 wrote to memory of 12588 2572 SoftUpdate.exe 38 PID 2572 wrote to memory of 12588 2572 SoftUpdate.exe 38 PID 2572 wrote to memory of 12588 2572 SoftUpdate.exe 38 PID 2572 wrote to memory of 12588 2572 SoftUpdate.exe 38 PID 2572 wrote to memory of 12588 2572 SoftUpdate.exe 38 PID 2572 wrote to memory of 12588 2572 SoftUpdate.exe 38 PID 12588 wrote to memory of 10500 12588 cmd.exe 41 PID 12588 wrote to memory of 10500 12588 cmd.exe 41 PID 12588 wrote to memory of 10500 12588 cmd.exe 41 PID 12588 wrote to memory of 10500 12588 cmd.exe 41 PID 12588 wrote to memory of 10500 12588 cmd.exe 41 PID 12588 wrote to memory of 10500 12588 cmd.exe 41 PID 12588 wrote to memory of 10500 12588 cmd.exe 41
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2316
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7C029A7D7310EADDF4E52B7A33418122⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2504
-
-
C:\Windows\Installer\MSIEBF9.tmp"C:\Windows\Installer\MSIEBF9.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708
-
-
C:\Windows\Installer\MSIEC3A.tmp"C:\Windows\Installer\MSIEC3A.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2880
-
C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\SOFTUP~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:12588 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:10500
-
-
-
C:\Windows\SysWOW64\Vnfvn.exeC:\Windows\SysWOW64\Vnfvn.exe -auto1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:9492 -
C:\Windows\SysWOW64\Vnfvn.exeC:\Windows\SysWOW64\Vnfvn.exe -acsi2⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:12596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD5fd6ffc21854389eef57b121920d7eb53
SHA18aac2bf77db334cd65d8d6c97367eb7ec86d0e5d
SHA2560fd912837817a118362aa21689ee9b3a009734bccde647071e9aaed430703e9f
SHA5129f2756c4bf8444ec5a5aa0076849cbaf082747677b5d4a53eda832c824c949b8b06429a7bd107a59e508de5406faabc386a3b7291509c43d2864197d272b9ec8
-
Filesize
27.6MB
MD527efe6811144928bfa97cd230d186b27
SHA11fe73e16d011fcaf8846184da6a55f305f676438
SHA2561612b03971062edc8cc50072404c5734e6d3ce28a3e32d45418fce6bf6a071aa
SHA51293d554c4d0b1e589c9c284f3954931232f34abf4da09c57b0c4f1f50cf618406a7d652c545800b346cee40099164f3397b8e7a075c9e3ff9e110331bf4d3f7e4
-
Filesize
48KB
MD5765cf74fc709fb3450fa71aac44e7f53
SHA1b423271b4faac68f88fef15fa4697cf0149bad85
SHA256cc46ab0bf6b19a2601cd002b06769ad08baf4ed0b14e8728973f8af96bdee57e
SHA5120c347d9a2960a17f8ec9b78ede972bf3cf6567fd079a6aa5a6ac262ac227bfd36acc53a7a127fd7f387dec9f4509f4f3f754b10853a213e993ea1573e74ed7e6
-
Filesize
38KB
MD5dab018047c171165c18329d5c59b617e
SHA188848ac4aceb7358f13d225de6d4fd0a5696517a
SHA2561cf0d9e908c3134ffce859483504420578ee8ccda399c20ecc035d1e4da93734
SHA5121f6c50885290a3b983b7b8ac4bfec546d74acf2c50bfd0d245164a5ee149fa28a2871d545286108345c055c4f86f2b115509fcf74a6b60bc3f814c1c1635162d
-
Filesize
38KB
MD55f7b90c87ea0517771862fae5f11ce94
SHA1fc9f195e888d960139278c04a0e78996c6442d5b
SHA256f906101e512c3119e71b6949d68ac01c8fdb5ef06f4c73eaef9a3f0bd6021ce2
SHA512dc08461f1e823d898f5ba42c9d1a131f599adbcb0af28c5de950a01ec74015d3da933e675986b71dde09cc74e00689ebe5f5f6cff857d335322f18d3f385edf0
-
Filesize
3KB
MD55754c67775c3f4f50a4780b3bca026b1
SHA13e95c72c13d6175ef275280fe270d678acee46e9
SHA2562a5d67757f61ca00227e9b482a7b15365ba836c11f5b7d723b650e6d4108e739
SHA512df6744556a24d4f6b907fc6126035adca4d3ce8aba52b26112e59b24ebfc5c4e079ee8ed74df3f28fc62cc3e207041cf8fb6b6a84ec58125122c214924e0a97f
-
Filesize
908KB
MD53d3ec6392cf9a8b408569a3dd4cd3ce8
SHA195ff4346eb20d9239c37e6538bb8df8542d3300a
SHA256818f2cdb763f5af1884485cffef51f192bc895132a4fdff5009935e8348f8371
SHA512e017cfd88c50c496ac86084a43a80eb3f1ec61c6397a67da2978cbb1867a4b30f563f1b4f319d00742b84df486e841804b82949e3131c7d77b7f63975dece505
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
419KB
MD5cac0eaeb267d81cf3fa968ee23a6af9d
SHA1cf6ae8e44fb4949d5f0b01b110eaba49d39270a2
SHA256f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774
SHA5128edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b
-
Filesize
95KB
MD55a94bf8916a11b5fe94aca44886c9393
SHA1820d9c5e3365e323d6f43d3cce26fd9d2ea48b93
SHA2560b1e46044b580121f30bedb2b5412d3170c6afaa7800d702ee71f7666904236d
SHA51279cba3dcb249d88a6a6cfb4efcb65cc42a240af4edb14bcc7546d9c701a7b642362f9fe0488691a8906607ecc76f7b5ee5a4282fa057053b258eea143ac90c20
-
Filesize
4KB
MD529818862640ac659ce520c9c64e63e9e
SHA1485e1e6cc552fa4f05fb767043b1e7c9eb80be64
SHA256e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb
SHA512ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
9KB
MD54ccc4a742d4423f2f0ed744fd9c81f63
SHA1704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb