Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:34
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20240903-en
General
-
Target
RuntimeBroker.exe
-
Size
3.1MB
-
MD5
f4da021b8bc9d8ef1ff9ce30b0ab3b79
-
SHA1
998a833c28617bf3e215fe7a8c3552972da36851
-
SHA256
b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545
-
SHA512
77e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c
-
SSDEEP
98304:ZvlL26AaNeWgPhlmVqkQ7XSKVcRJ6p3I:Nj4SN43I
Malware Config
Extracted
quasar
1.4.1
Nigga
yzs-42879.portmap.host:42879
57d72303-b5e9-46aa-8cc4-9690809c1a9e
-
encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
Temp
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4428-1-0x0000000000170000-0x0000000000494000-memory.dmp family_quasar behavioral2/files/0x0007000000023c82-5.dat family_quasar -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 14 IoCs
pid Process 4284 RuntimeBroker.exe 4276 RuntimeBroker.exe 4532 RuntimeBroker.exe 1364 RuntimeBroker.exe 4308 RuntimeBroker.exe 4104 RuntimeBroker.exe 4936 RuntimeBroker.exe 1772 RuntimeBroker.exe 4372 RuntimeBroker.exe 4120 RuntimeBroker.exe 696 RuntimeBroker.exe 736 RuntimeBroker.exe 2392 RuntimeBroker.exe 2152 RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4312 PING.EXE 1740 PING.EXE 372 PING.EXE 3008 PING.EXE 3364 PING.EXE 2352 PING.EXE 2508 PING.EXE 664 PING.EXE 3904 PING.EXE 5028 PING.EXE 4008 PING.EXE 1904 PING.EXE 2320 PING.EXE 1736 PING.EXE -
Runs ping.exe 1 TTPs 14 IoCs
pid Process 1904 PING.EXE 3904 PING.EXE 2508 PING.EXE 664 PING.EXE 2352 PING.EXE 1736 PING.EXE 3364 PING.EXE 2320 PING.EXE 1740 PING.EXE 5028 PING.EXE 4008 PING.EXE 4312 PING.EXE 372 PING.EXE 3008 PING.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 4428 RuntimeBroker.exe Token: SeDebugPrivilege 4284 RuntimeBroker.exe Token: SeDebugPrivilege 4276 RuntimeBroker.exe Token: SeDebugPrivilege 4532 RuntimeBroker.exe Token: SeDebugPrivilege 1364 RuntimeBroker.exe Token: SeDebugPrivilege 4308 RuntimeBroker.exe Token: SeDebugPrivilege 4104 RuntimeBroker.exe Token: SeDebugPrivilege 4936 RuntimeBroker.exe Token: SeDebugPrivilege 1772 RuntimeBroker.exe Token: SeDebugPrivilege 4372 RuntimeBroker.exe Token: SeDebugPrivilege 4120 RuntimeBroker.exe Token: SeDebugPrivilege 696 RuntimeBroker.exe Token: SeDebugPrivilege 736 RuntimeBroker.exe Token: SeDebugPrivilege 2392 RuntimeBroker.exe Token: SeDebugPrivilege 2152 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4428 wrote to memory of 4284 4428 RuntimeBroker.exe 82 PID 4428 wrote to memory of 4284 4428 RuntimeBroker.exe 82 PID 4284 wrote to memory of 464 4284 RuntimeBroker.exe 83 PID 4284 wrote to memory of 464 4284 RuntimeBroker.exe 83 PID 464 wrote to memory of 4540 464 cmd.exe 85 PID 464 wrote to memory of 4540 464 cmd.exe 85 PID 464 wrote to memory of 4312 464 cmd.exe 86 PID 464 wrote to memory of 4312 464 cmd.exe 86 PID 464 wrote to memory of 4276 464 cmd.exe 92 PID 464 wrote to memory of 4276 464 cmd.exe 92 PID 4276 wrote to memory of 4568 4276 RuntimeBroker.exe 93 PID 4276 wrote to memory of 4568 4276 RuntimeBroker.exe 93 PID 4568 wrote to memory of 3832 4568 cmd.exe 95 PID 4568 wrote to memory of 3832 4568 cmd.exe 95 PID 4568 wrote to memory of 1904 4568 cmd.exe 96 PID 4568 wrote to memory of 1904 4568 cmd.exe 96 PID 4568 wrote to memory of 4532 4568 cmd.exe 99 PID 4568 wrote to memory of 4532 4568 cmd.exe 99 PID 4532 wrote to memory of 4424 4532 RuntimeBroker.exe 100 PID 4532 wrote to memory of 4424 4532 RuntimeBroker.exe 100 PID 4424 wrote to memory of 1832 4424 cmd.exe 102 PID 4424 wrote to memory of 1832 4424 cmd.exe 102 PID 4424 wrote to memory of 2352 4424 cmd.exe 103 PID 4424 wrote to memory of 2352 4424 cmd.exe 103 PID 4424 wrote to memory of 1364 4424 cmd.exe 106 PID 4424 wrote to memory of 1364 4424 cmd.exe 106 PID 1364 wrote to memory of 60 1364 RuntimeBroker.exe 107 PID 1364 wrote to memory of 60 1364 RuntimeBroker.exe 107 PID 60 wrote to memory of 4316 60 cmd.exe 109 PID 60 wrote to memory of 4316 60 cmd.exe 109 PID 60 wrote to memory of 2320 60 cmd.exe 110 PID 60 wrote to memory of 2320 60 cmd.exe 110 PID 60 wrote to memory of 4308 60 cmd.exe 111 PID 60 wrote to memory of 4308 60 cmd.exe 111 PID 4308 wrote to memory of 1560 4308 RuntimeBroker.exe 112 PID 4308 wrote to memory of 1560 4308 RuntimeBroker.exe 112 PID 1560 wrote to memory of 1244 1560 cmd.exe 114 PID 1560 wrote to memory of 1244 1560 cmd.exe 114 PID 1560 wrote to memory of 3904 1560 cmd.exe 115 PID 1560 wrote to memory of 3904 1560 cmd.exe 115 PID 1560 wrote to memory of 4104 1560 cmd.exe 116 PID 1560 wrote to memory of 4104 1560 cmd.exe 116 PID 4104 wrote to memory of 1216 4104 RuntimeBroker.exe 117 PID 4104 wrote to memory of 1216 4104 RuntimeBroker.exe 117 PID 1216 wrote to memory of 4588 1216 cmd.exe 119 PID 1216 wrote to memory of 4588 1216 cmd.exe 119 PID 1216 wrote to memory of 1740 1216 cmd.exe 120 PID 1216 wrote to memory of 1740 1216 cmd.exe 120 PID 1216 wrote to memory of 4936 1216 cmd.exe 121 PID 1216 wrote to memory of 4936 1216 cmd.exe 121 PID 4936 wrote to memory of 1716 4936 RuntimeBroker.exe 122 PID 4936 wrote to memory of 1716 4936 RuntimeBroker.exe 122 PID 1716 wrote to memory of 4008 1716 cmd.exe 124 PID 1716 wrote to memory of 4008 1716 cmd.exe 124 PID 1716 wrote to memory of 372 1716 cmd.exe 125 PID 1716 wrote to memory of 372 1716 cmd.exe 125 PID 1716 wrote to memory of 1772 1716 cmd.exe 126 PID 1716 wrote to memory of 1772 1716 cmd.exe 126 PID 1772 wrote to memory of 1104 1772 RuntimeBroker.exe 127 PID 1772 wrote to memory of 1104 1772 RuntimeBroker.exe 127 PID 1104 wrote to memory of 1996 1104 cmd.exe 129 PID 1104 wrote to memory of 1996 1104 cmd.exe 129 PID 1104 wrote to memory of 2508 1104 cmd.exe 130 PID 1104 wrote to memory of 2508 1104 cmd.exe 130
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GtFnIuCBvRXO.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:4540
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4312
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9qvq1lvKQaov.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3832
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1904
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T3Kf8PLbgyh3.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1832
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2352
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noKxJ01n9X0I.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4316
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2320
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UbJSmlyyXYwQ.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1244
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3904
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PRvIFPVdkRLi.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1740
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fPIyvGhMQgyp.bat" "15⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4008
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:372
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NNZQZaYaJjA0.bat" "17⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1996
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2508
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaMyGArQJMe1.bat" "19⤵PID:3216
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:3536
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3008
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l88dQQHk1ryR.bat" "21⤵PID:3724
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5028
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:696 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0xZKmdTp1ABS.bat" "23⤵PID:3412
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4616
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1736
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kNjvOGxxeYOG.bat" "25⤵PID:2100
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:3548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3364
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoEjOr6td19J.bat" "27⤵PID:3792
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3880
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:664
-
-
C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\Temp\RuntimeBroker.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwdfQDV5sZUk.bat" "29⤵PID:2404
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3800
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
212B
MD52b8ad50a832ec0010efaf846a436cf47
SHA1437bf28f79d7e7f513377027af9e45906ab6cede
SHA256115c4735c68b6788fa3a568fa0282ed7d07481ec7ef2eb9cdf1c7d556eaa1fac
SHA512483c8100c126559a7970a21513e9e9c6a398a4231922beab22a63c4fd0ddf2babbbc9461cedd18cec207867f0d3b7c11959bc2b47f1a66928dd13a521da6ce1f
-
Filesize
212B
MD5153cb0f6abeb23d7d900e8595918d726
SHA1dccfec958acb16ac0c760d7d1aa4bded8b711bc3
SHA256f8773789780a0088fb7f912f82b8932b2dadadd4b64a90c6ee0bbc62978b4b39
SHA512f0dc422202a06b1f35622c4dbc19b723976210f1bc47daf07d0a4dc84a3ed0cfe2a5585a0a8b7dd3f0273e9de0ec52846968f7f79b3dfe5dd209cc7cc04cde1f
-
Filesize
212B
MD520d1b8ff5a779eacebc6bf250365739f
SHA10d67058501ac939328d01d92ba3d535482d2dd4e
SHA256b14369111cb38ccdfc79e2b0c178f33973d7ece4f04337fab7975fb7409457a0
SHA51239d6c77bc3e5252ead91af6ac12b5c723e4579239ab1dccc81c1ed9d4b4333ca274c98148154ebe08f0feb8582fb3efc468836828df2b60a414aeb28e5ac16c3
-
Filesize
212B
MD5c1ad99e8bf00d2f777cdf608163a2afc
SHA1139643a6aad2fce328832c3a4a99556ddc32c604
SHA256ad52effad599b58f48e04424952de48443699449306bbf108cab9adb0d8fd526
SHA5125d8c2115291748a3bd85057261803e0a67ff5ddceece7753c7357473bbc80f8fcdddbd37326e539b06261678804d131fa5e8a0acbf4919f90d12b65cb9263a91
-
Filesize
212B
MD56309c4b64b0d995e8ddc71fb411009ad
SHA12b7b2301367837007a4d6f4f678a66553eacaf66
SHA2565371038d8abe1269ab2618cb11157e49b067eb4f4d8007acf3df98bba14afa0d
SHA51203bf04a124733753460c04f1001cd9044c689800913c61d28c912834f66e1b53b6d0f4478303938366f05870ee776c72d7ffeda64d7e5ccee0b5fd5cf0ae3d06
-
Filesize
212B
MD5a109b38250e5560d487d00bfb251cfc0
SHA15bdfe0c8ebe50f5bde7aad7440203ab3890e2407
SHA2565114b5d8bc21e54b5097d6ed31d0bd3468c30380827903f06cc58a1e76ba342d
SHA512bdeadbc568b8b681da232800af2b72f895d2e23fd8131c5b887c29f51ad155dc97ca30b22255b5e47f4cc5dd70558cc0d91745f4f251d470b65aee06ec953d8a
-
Filesize
212B
MD56d3e58974ab04c42aadd73f1093a56c8
SHA15c4cd868c8ae0864a8754ca43452cc8fa821da85
SHA256d0af4698a94f77413575ecaeb03d31339cca51d56c1fcbe55ec6432c3ba39d05
SHA512919ce6c3e6c424dc28b472cb6c675e68c3f90b3348565beae7be0d8f4c91750c9875cd6bd4b42227dd0452aebe23e50dc7df1402fe5a7bf04dfa1ff95cf4d880
-
Filesize
212B
MD5dff1e6e641cf3da01db1ab3efad12985
SHA1e96e5a48ebbf279c1322031ac6a641663f42431f
SHA256ee19a82e855a37aa19fe2a2502214d1a538d7ec47258e909fe458df7ed23be15
SHA51254d7418e20b4d8ad9a2db09cbdd5891fd6896bc7ce3ec059610a7cb6830cdfa798e914fc96af920fb2c64e12e6a874b8d2f5b2fc3447c96478aaedf2e1da3d9a
-
Filesize
212B
MD59c32b072779fa7ee473724870c268e76
SHA1fd4303ae44c7d1584d956a4cf71b9c3b6dfcf991
SHA25625013764a28f486af962ffe9273d253bc0eaca628e026de64c02aa5dd99da898
SHA512138af41e3a5092165a7b0e5410fc86bb9d6064dea70b174a20b85248422d84644cb5529cc79f27c692c90bdc8a053efa4f2c9ee5569ce4b7651bbd1996faee8a
-
Filesize
212B
MD52aacf2b51a5f5c7d94768b75c1a2ac6d
SHA1c91d89911912feb076a4abbaadec0d06b7ec7027
SHA2563049de7e13e8e1e1a5a7a822532db91a89060761637004190b24e867d0ca8bce
SHA5129244e87c62fb0e7362673af9788fb4e62929275a41c4be363033a2c3479ef6b423fffcc7c91e0067f16ddcb37328916941cf34b21b9fe0e912f69b2f2db9025c
-
Filesize
212B
MD5564dd18fc7d19577f867ad4ae84f4777
SHA1890e85325943a8f41d42e9e84edfc2b00f8fcc7b
SHA256e4042a2b6f181f142c97f8a4a23b4f2cf25d7c1bf93afeaf439f0962a0845d7d
SHA5122429c3a31462c3b1a32003b4b6530a06fa4c206bcfa42df33946af573b722a21f5f3f41fa7062d313c39995152788c5d8f13ec5ae0e48970aa03bf881788cba5
-
Filesize
212B
MD576aded24da8a9ee80945751d4383c7ce
SHA1bc2212fb34099e795d032e4fa68bfae1e4535992
SHA256291942fa37cb3726d2807df88497a753e76ce5ede84033b9ef02f5e248086367
SHA5120392e8c0b740beecb987f92bcaa58e921f87a14dc3a6dbd576bc6e9db4b12a75e6c13c5412ca6457ac3f63318cb21ba41ebdd78c985b70e32c094035fdf686c0
-
Filesize
212B
MD55f685f4eecbdca3fa112113d147d15de
SHA12d71c584203410e24111d676fba1661588a005df
SHA25654ac4daf6b7e1cf44e1d1f106a014d6f975b3f9c3ecefcb253b308f401476255
SHA512ffd7d4a02df03712630e3f90bcb7fd3240ed2a42644c283eb0d956b31612f42c8259c80db5ffe3a32f4f1d8457d131c6225cf3f59b8bfb00ff612554e11b11f3
-
Filesize
212B
MD5392720bfe76092017582917fd1bd1aa6
SHA1731a97e3857e997b4005ce1cb4d5947542307288
SHA25681566a95ed6bf8be6a39c82f70e763aae31a8c951c415e93899f68204344c681
SHA512d8df093857bb741736c227beec3109ac925b386d7a3e626892ceffc6966fb60ae2642ec302acd3676f6c56ffc3eb8f3aedb014c46d632f83325488cdee62137f
-
Filesize
3.1MB
MD5f4da021b8bc9d8ef1ff9ce30b0ab3b79
SHA1998a833c28617bf3e215fe7a8c3552972da36851
SHA256b94aa59b804c08814ac8c7cd538f24d10d68ca30c147ef03a1c57f979ec06545
SHA51277e30dfa5d917e0a2467217902b4a75e485f7419e31ea8fe09f6e721d5ba138a68cb354204f79a84e5167b771e3dfb86f182eec647b43dce70ee261b6b7f829c