Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 03:36
Behavioral task
behavioral1
Sample
884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7.exe
Resource
win7-20240903-en
General
-
Target
884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7.exe
-
Size
3.1MB
-
MD5
a7d75b048989da5d22a1f7cca58edb51
-
SHA1
413d22b60ae540b3b11863e2107980b0403faf50
-
SHA256
884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7
-
SHA512
4a453dc7f2a0e82d66fe5d73727ab2a23b5f00ea1b4a53032e4a538b72edf9caaf0894774d0fafb4af401f74a0b65bbf2d83a0cc643dc1a66ae23fb2136dd351
-
SSDEEP
49152:TvCI22SsaNYfdPBldt698dBcjHe0RJ6qbR3LoGdHTHHB72eh2NT:TvP22SsaNYfdPBldt6+dBcjHe0RJ6E
Malware Config
Extracted
quasar
1.4.1
Nigga
yzs-42879.portmap.host:42879
57d72303-b5e9-46aa-8cc4-9690809c1a9e
-
encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
-
install_name
svchost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
Steam
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4600-1-0x0000000000A80000-0x0000000000DA4000-memory.dmp family_quasar behavioral2/files/0x0009000000023c95-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 15 IoCs
pid Process 1328 svchost.exe 4960 svchost.exe 1752 svchost.exe 3356 svchost.exe 4388 svchost.exe 2100 svchost.exe 3228 svchost.exe 4256 svchost.exe 4504 svchost.exe 396 svchost.exe 4732 svchost.exe 2816 svchost.exe 1108 svchost.exe 452 svchost.exe 3356 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2172 PING.EXE 2232 PING.EXE 2280 PING.EXE 2964 PING.EXE 4232 PING.EXE 2400 PING.EXE 4080 PING.EXE 4232 PING.EXE 4908 PING.EXE 5048 PING.EXE 3084 PING.EXE 1400 PING.EXE 3212 PING.EXE 5032 PING.EXE 1980 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 3212 PING.EXE 1400 PING.EXE 4232 PING.EXE 2280 PING.EXE 4908 PING.EXE 1980 PING.EXE 2964 PING.EXE 4232 PING.EXE 5048 PING.EXE 4080 PING.EXE 2232 PING.EXE 2172 PING.EXE 2400 PING.EXE 5032 PING.EXE 3084 PING.EXE -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4600 884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7.exe Token: SeDebugPrivilege 1328 svchost.exe Token: SeDebugPrivilege 4960 svchost.exe Token: SeDebugPrivilege 1752 svchost.exe Token: SeDebugPrivilege 3356 svchost.exe Token: SeDebugPrivilege 4388 svchost.exe Token: SeDebugPrivilege 2100 svchost.exe Token: SeDebugPrivilege 3228 svchost.exe Token: SeDebugPrivilege 4256 svchost.exe Token: SeDebugPrivilege 4504 svchost.exe Token: SeDebugPrivilege 396 svchost.exe Token: SeDebugPrivilege 4732 svchost.exe Token: SeDebugPrivilege 2816 svchost.exe Token: SeDebugPrivilege 1108 svchost.exe Token: SeDebugPrivilege 452 svchost.exe Token: SeDebugPrivilege 3356 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4600 wrote to memory of 1328 4600 884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7.exe 83 PID 4600 wrote to memory of 1328 4600 884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7.exe 83 PID 1328 wrote to memory of 1652 1328 svchost.exe 84 PID 1328 wrote to memory of 1652 1328 svchost.exe 84 PID 1652 wrote to memory of 1056 1652 cmd.exe 86 PID 1652 wrote to memory of 1056 1652 cmd.exe 86 PID 1652 wrote to memory of 2232 1652 cmd.exe 87 PID 1652 wrote to memory of 2232 1652 cmd.exe 87 PID 1652 wrote to memory of 4960 1652 cmd.exe 89 PID 1652 wrote to memory of 4960 1652 cmd.exe 89 PID 4960 wrote to memory of 5000 4960 svchost.exe 91 PID 4960 wrote to memory of 5000 4960 svchost.exe 91 PID 5000 wrote to memory of 2228 5000 cmd.exe 93 PID 5000 wrote to memory of 2228 5000 cmd.exe 93 PID 5000 wrote to memory of 4232 5000 cmd.exe 94 PID 5000 wrote to memory of 4232 5000 cmd.exe 94 PID 5000 wrote to memory of 1752 5000 cmd.exe 108 PID 5000 wrote to memory of 1752 5000 cmd.exe 108 PID 1752 wrote to memory of 2000 1752 svchost.exe 110 PID 1752 wrote to memory of 2000 1752 svchost.exe 110 PID 2000 wrote to memory of 2708 2000 cmd.exe 112 PID 2000 wrote to memory of 2708 2000 cmd.exe 112 PID 2000 wrote to memory of 2280 2000 cmd.exe 113 PID 2000 wrote to memory of 2280 2000 cmd.exe 113 PID 2000 wrote to memory of 3356 2000 cmd.exe 117 PID 2000 wrote to memory of 3356 2000 cmd.exe 117 PID 3356 wrote to memory of 4292 3356 svchost.exe 119 PID 3356 wrote to memory of 4292 3356 svchost.exe 119 PID 4292 wrote to memory of 4172 4292 cmd.exe 121 PID 4292 wrote to memory of 4172 4292 cmd.exe 121 PID 4292 wrote to memory of 4908 4292 cmd.exe 122 PID 4292 wrote to memory of 4908 4292 cmd.exe 122 PID 4292 wrote to memory of 4388 4292 cmd.exe 124 PID 4292 wrote to memory of 4388 4292 cmd.exe 124 PID 4388 wrote to memory of 2932 4388 svchost.exe 126 PID 4388 wrote to memory of 2932 4388 svchost.exe 126 PID 2932 wrote to memory of 3436 2932 cmd.exe 128 PID 2932 wrote to memory of 3436 2932 cmd.exe 128 PID 2932 wrote to memory of 2964 2932 cmd.exe 129 PID 2932 wrote to memory of 2964 2932 cmd.exe 129 PID 2932 wrote to memory of 2100 2932 cmd.exe 131 PID 2932 wrote to memory of 2100 2932 cmd.exe 131 PID 2100 wrote to memory of 4128 2100 svchost.exe 133 PID 2100 wrote to memory of 4128 2100 svchost.exe 133 PID 4128 wrote to memory of 4828 4128 cmd.exe 135 PID 4128 wrote to memory of 4828 4128 cmd.exe 135 PID 4128 wrote to memory of 3212 4128 cmd.exe 136 PID 4128 wrote to memory of 3212 4128 cmd.exe 136 PID 4128 wrote to memory of 3228 4128 cmd.exe 138 PID 4128 wrote to memory of 3228 4128 cmd.exe 138 PID 3228 wrote to memory of 3312 3228 svchost.exe 140 PID 3228 wrote to memory of 3312 3228 svchost.exe 140 PID 3312 wrote to memory of 4148 3312 cmd.exe 142 PID 3312 wrote to memory of 4148 3312 cmd.exe 142 PID 3312 wrote to memory of 4232 3312 cmd.exe 143 PID 3312 wrote to memory of 4232 3312 cmd.exe 143 PID 3312 wrote to memory of 4256 3312 cmd.exe 145 PID 3312 wrote to memory of 4256 3312 cmd.exe 145 PID 4256 wrote to memory of 860 4256 svchost.exe 147 PID 4256 wrote to memory of 860 4256 svchost.exe 147 PID 860 wrote to memory of 448 860 cmd.exe 149 PID 860 wrote to memory of 448 860 cmd.exe 149 PID 860 wrote to memory of 5048 860 cmd.exe 150 PID 860 wrote to memory of 5048 860 cmd.exe 150
Processes
-
C:\Users\Admin\AppData\Local\Temp\884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7.exe"C:\Users\Admin\AppData\Local\Temp\884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JnfMtEu0MsDI.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2232
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yGpFjkO0Ijq1.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2228
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4232
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\957vqKrCLsQX.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2708
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2280
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ZcDhtjhrRDN.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4172
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4908
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B8g1jgHhMcg8.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:3436
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2964
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U8G1btIGX1wB.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4828
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3212
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\THsXbs3D0zvT.bat" "15⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4148
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4232
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mXcTx3tbxVwL.bat" "17⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\chcp.comchcp 6500118⤵PID:448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5048
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqiyoUJ1h7Oq.bat" "19⤵PID:2280
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2960
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5032
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b0RGBYoRZwhJ.bat" "21⤵PID:4372
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:2560
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3084
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4732 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EfvAMDLlWsUZ.bat" "23⤵PID:440
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4812
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1400
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4YagyB3rZGa9.bat" "25⤵PID:220
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4992
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1980
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1108 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\95n8IjQr35HU.bat" "27⤵PID:1752
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:3648
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2172
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:452 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZrtIi3qQElYX.bat" "29⤵PID:4752
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3116
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2400
-
-
C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"C:\Users\Admin\AppData\Roaming\Steam\svchost.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JbZUhwksOJ37.bat" "31⤵PID:4332
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:1604
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD5d72429bb860d2f5f0f9b606b2cda2f4f
SHA1f62108566fb51ec3495a26d557e4e93f088680fe
SHA256f65eeaa23ad1e068e4bb56cf75d47ca8957f17a9fd9e31916a9ab9e5f5e7bbd8
SHA5129151fd43b432eb7f2e2c8e97e997f944773b43e73d061c8ff21fdf3e6770b36f914e7c85f1a716b64f575fd1cf747c213ff53ba55d15de02b9d9d8096529f513
-
Filesize
207B
MD573f9e6c16622379ce753cec82e2c867c
SHA157cc6cc3d4461418050b7c180564bc211c5508e0
SHA2567df77e3ea6caa0ef7b5d8d2aea3c0818c13524bd7f6c21a85e62920ae3ad30b5
SHA512efeb3aaf13fcf84fc4646dc9ee9b9c15cba593906545a9e65847a4cffa284afb78d0f96357421ab1327c750968d464122783a17e699db551253eae66d55450fc
-
Filesize
207B
MD5b79162af3c61cca2486f6ae7a2d87b35
SHA1c1919c2733eb3d74d9be780e8aa895a0ac4110a8
SHA2561d578941c2c795f075d4e3b285bc3988bd50587e4b5695432d288cacc76ae359
SHA5128b2b95926cb5b305ca28e4dde4ed1ce2bae0d5e76024e06cbca68e52a193781d9b0e7c35ff4579bef17678ec5c7921a83ee05ed239ae5825918049fbf56affe4
-
Filesize
207B
MD5861c44bf4fd7182eecef59de20d4e136
SHA1bc8d961bbe2ec6ac9d856b028b0b3fcad7791229
SHA256e527fda2351aea59eac0b9a42cdff19f2d82ef7809b5cf82b5c211993e8895fe
SHA51247982ea6a773a7f537095f88745e6994550c28f7020087c75cf2b27d8e9947106bc1194ca29f563fbd0299b62f65eca8be3ceba435b92cfb4c749d6d604ba0c2
-
Filesize
207B
MD5e54d399b793c531976ae72e48a6be826
SHA1ad8c98bb7a997e594b6c84668a23ecf5e9d9f260
SHA256effc14aec6323abd3ba1958d0a99746675bc4d43c56821787ad4cd5695e37213
SHA51219bfc705662d853b972a5dc61c6633b97eaf92a19847ba0be10ab6cc2f252cab9f6d4f0ef9ca7450429d65c2636cee68e5294b388eb3510e37698cf9efa18bd3
-
Filesize
207B
MD5937ef30ae66023e997e977f1aaf13e8b
SHA18b65559628bfddd6c182520c7ad594ef318f08d8
SHA25631a89e42ad1388d3915c9dc21239a9e01d69b46360d7663cf2341a383a1a4898
SHA512f7e0b851ad1a700c398554fb45ee93f13af237d05d89eef09054630ec836931a3353618de7940f6903e1ce286e4fe30ebc598641f6269f5cf09ccef21b07a222
-
Filesize
207B
MD52ae83052640fa847f6b75d019740b41e
SHA15192f003bbefe54009ae4920a8a60f92309b63a4
SHA256a4d4ff495fa91b0543b67ec27f0c49a2fd7e9ef65dcfdce4088d7713a5bdc47f
SHA512631937546bda3242fae36d94cced2a75786b6903e56046ae554788e1a120e1125794805623d9cfd787bc76db407e57a6ee771adb7e3fa65e40780f936a0f4ace
-
Filesize
207B
MD55f0c4afe0dee42250bfc41f35e923e59
SHA103d2216198cd5cab42006433b405bd6ed4e92540
SHA2567d205213261b28f8e7efcdf50dae5c6dc98b8be2904975a7d9abafe3a42ac3fa
SHA512d6536fc80d54dabb2ded8b0296f1f4d4cb395175b7def73f364ace3383dad6a852737628e420728b81b6aeee5889658d80a7f5f4605bca74749238aae10780ee
-
Filesize
207B
MD5a49fc4a64b35cad6e7b9b5fccf275ac4
SHA17eccee1239b8ff934ff51ba7a910e4438b08d4ba
SHA25684de55c878954fac50c8ce7a0cc2be062e3dc69578b0781d1d8a827cd8afc2e3
SHA5124aaf820eaf4d1771c504f7dd154d9fa0ca932fbdd8b7c94fc8fcc7a00f61dee4a80e5b2651d5970b8451130c9f82ca93f377945cc1dd246778cb4c65522e9a4c
-
Filesize
207B
MD509c99c79be5c7b2d48f009421419a300
SHA1e70d128e9648b73ae8474f80c1b8ddc4aec6173b
SHA256dfb534672d2c46a580246cb4113395b5da4a665418c518bd81c5f842c7664431
SHA512480309585fa5fa9dfcd67cb1361705022de06563bb3d80ffd37a75d0ff0e54917fb2cfb237dd130b5d38a61e268fa19844aee52287c3cdb11c8e65eac383433b
-
Filesize
207B
MD5ae69bc08137960a4d693fe3f17ead3f7
SHA129e3a65977715b6dc036b83d3f1f18e2d3e91456
SHA256401345564b98a1ef2498748322a5434213389f93d2e45008dc65bc67734e552f
SHA512a7dd9ceafa969dd883aaa27ccedaf4e0d86f585fafd1b3d6118a9760682e0a4d1b583df89bc19d33fc698a3445f58f7c20808f13abdf9864b1e5eff693d4eda4
-
Filesize
207B
MD5747e9c243075e840abb0077ddcc85944
SHA19311624f4c435aafd2dbcfea3406b5547333699f
SHA256eee199ac3bbd76a16fd97f1f0522d6561d3a320d50b2003337fff9878f38d0ed
SHA51288bdd6b64c3c2e0ea7d9ae019f165cd6d82e95e8e34d68f8ccac46dd54049111da231236a8bfe9513c30c251d2492bb97b1e49e1ef35637894a73929d1b4c2a7
-
Filesize
207B
MD512b86d0aa13fa4cf34bc814e6d3f24eb
SHA1e20d79009abddfbd74bb7ef5883c2f1696d6973a
SHA256d000533e4d3d1fb1370a08f1f84b0c700440315edab746cb6d73ab3353a2ce38
SHA512615cd51f20586964bcba0a87382ffce8f71b1f57be03deed3e066acb1bb885fa1eca4e8af424d2fc51fd7458897b34ebc9d079a03b87e9be8f4e81177b1d3701
-
Filesize
207B
MD560ea860f838e87c31d9ebf00c9bc663d
SHA1c7133aad22b1765050261d34f8397111a38ea93c
SHA256c1f3309f1be75860ad4a4d5a8b6679ca916f71e0d8b31a24aa0619c8d411b1dc
SHA5122b4bd44c96300fb9f8d6412da516faf1e600e1b2455ad1684c70dbc3ca50ae3593605f09faf6d3760f0b4d22d6800d02b8823b2e6c48f8e482263c873db8a523
-
Filesize
207B
MD5e1455af005dd2a1767b01248c19b4efd
SHA16cca7fbd1440c7240618a0661a612e063bbdad69
SHA2567c22eb3ece49924e4dc895fb8d9c98b59015fab13f4968c627123d2ca114eec7
SHA512876b021dae9006972c7597d01f80510f0be4e7a6c86972144fd2ba1eba9e88d4d031612a38c2fcbbc9d07b97b22e216f5a666f267c3b08debca90570297fb71c
-
Filesize
3.1MB
MD5a7d75b048989da5d22a1f7cca58edb51
SHA1413d22b60ae540b3b11863e2107980b0403faf50
SHA256884d0c2cefa850e384edd30c22b96dd9ca03443c7c57bdae7d6234c2ebf0d0c7
SHA5124a453dc7f2a0e82d66fe5d73727ab2a23b5f00ea1b4a53032e4a538b72edf9caaf0894774d0fafb4af401f74a0b65bbf2d83a0cc643dc1a66ae23fb2136dd351