Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 06:41
Behavioral task
behavioral1
Sample
61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
Resource
win7-20240903-en
General
-
Target
61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
-
Size
8.8MB
-
MD5
730bf213d90c18e9bef986876e531811
-
SHA1
ee9ed047072eb38d07e051038a01d31b7f2863a1
-
SHA256
61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8
-
SHA512
797a6a69a0c7b66e5818ff6048bbf4c6db41af29abc05875bddfc93ca822304358fee1d9d656cae0156306a3c33c6bd1baccaf8e517ef2a46ca8a649e4c00735
-
SSDEEP
98304:wws2ANnKXOaeOgmhVCPnsmtk2aX235t9jZcDRH2WeOE4MvKey0GlJJNuZIqPF:mKXbeO7HCfL3uWMkSey0GBNuZLPF
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
resource yara_rule behavioral2/memory/1960-14-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1960-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1960-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4156-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4156-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4156-25-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4428-35-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4156-33-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4428-85-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4428-90-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
resource yara_rule behavioral2/files/0x0009000000023c98-5.dat family_gh0strat behavioral2/memory/1960-14-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1960-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1960-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4156-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4156-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4156-25-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4428-35-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4156-33-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4428-85-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4428-90-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Xred family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 8 IoCs
pid Process 1912 R.exe 1960 N.exe 4156 TXPlatfor.exe 4428 TXPlatfor.exe 3912 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 1300 ._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 384 Synaptics.exe 2020 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 1912 R.exe 384 Synaptics.exe 384 Synaptics.exe 384 Synaptics.exe 384 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\240627765.txt R.exe File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe -
resource yara_rule behavioral2/memory/1960-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1960-14-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1960-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1960-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4156-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4156-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4156-25-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4156-21-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4428-35-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4156-33-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4428-85-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4428-90-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 432 1912 WerFault.exe 84 1056 1912 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatfor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2272 cmd.exe 3612 PING.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3612 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2676 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4428 TXPlatfor.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1960 N.exe Token: SeLoadDriverPrivilege 4428 TXPlatfor.exe Token: 33 4428 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 4428 TXPlatfor.exe Token: 33 4428 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 4428 TXPlatfor.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 2676 EXCEL.EXE 2676 EXCEL.EXE 2676 EXCEL.EXE 2676 EXCEL.EXE 2676 EXCEL.EXE 2676 EXCEL.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3076 wrote to memory of 1912 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 84 PID 3076 wrote to memory of 1912 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 84 PID 3076 wrote to memory of 1912 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 84 PID 3076 wrote to memory of 1960 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 90 PID 3076 wrote to memory of 1960 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 90 PID 3076 wrote to memory of 1960 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 90 PID 1960 wrote to memory of 2272 1960 N.exe 92 PID 1960 wrote to memory of 2272 1960 N.exe 92 PID 1960 wrote to memory of 2272 1960 N.exe 92 PID 4156 wrote to memory of 4428 4156 TXPlatfor.exe 94 PID 4156 wrote to memory of 4428 4156 TXPlatfor.exe 94 PID 4156 wrote to memory of 4428 4156 TXPlatfor.exe 94 PID 3076 wrote to memory of 3912 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 95 PID 3076 wrote to memory of 3912 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 95 PID 3076 wrote to memory of 3912 3076 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 95 PID 2272 wrote to memory of 3612 2272 cmd.exe 96 PID 2272 wrote to memory of 3612 2272 cmd.exe 96 PID 2272 wrote to memory of 3612 2272 cmd.exe 96 PID 3912 wrote to memory of 1300 3912 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 97 PID 3912 wrote to memory of 1300 3912 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 97 PID 3912 wrote to memory of 1300 3912 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 97 PID 3912 wrote to memory of 384 3912 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 99 PID 3912 wrote to memory of 384 3912 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 99 PID 3912 wrote to memory of 384 3912 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 99 PID 384 wrote to memory of 2020 384 Synaptics.exe 101 PID 384 wrote to memory of 2020 384 Synaptics.exe 101 PID 384 wrote to memory of 2020 384 Synaptics.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"C:\Users\Admin\AppData\Local\Temp\61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 4603⤵
- Program crash
PID:432
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 3963⤵
- Program crash
PID:1056
-
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3612
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exeC:\Users\Admin\AppData\Local\Temp\HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"C:\Users\Admin\AppData\Local\Temp\._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1300
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1912 -ip 19121⤵PID:3392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1912 -ip 19121⤵PID:3916
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2676
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
Filesize5.7MB
MD53b0c0331799d69225e1ba24e6cb0dfab
SHA15584f5b9aeff12b32d214d792e373901af71f3a3
SHA256bce1f6f6f6532266837b66d719bfbd177d406d6d7d8d5adfd5e7c59fcde651a5
SHA5122b1305374a734cf34661b4720e38fb9dc91a080d1f53be6092276f8f54041c4acd658b10fd65f5db21ccabee594c0a008727e3aad7d289147dff17a346998573
-
Filesize
21KB
MD5de65f0a0de14445cdbf4e9eb69d9b5f8
SHA17230b3786679b990defcd42e8dc78ce7324263e9
SHA2565d5bbe405cde170629d76c3cc7c89deaeb3a8b26bca0fe301d1259ea9f2a0a3b
SHA512e6f06f424a325362ec6ed832d89efac5cc9ae9625272d7f37229697f31988057c83f6a5ba412652b4dc739823b298f752626def08ce60ad47c5dc17a39ed9821
-
C:\Users\Admin\AppData\Local\Temp\HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
Filesize6.4MB
MD5699db42d0470ab462d7176e92a188e95
SHA1afa2164839e79dd2dd1d39ab8a0e8183d3d07809
SHA2561ca4c084c7ff06666f9e3c64f5656738245b2f103788ead3d763205c959c875c
SHA5120c6b3bcc94617f2e8bc7c311dfb9004f7d187cdb4818582871e44c5269a7d39535905d6f175fd227d0ad178c93495765c2901a443882fe68e16f8b9c1a04ca1e
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
6.4MB
MD5dde980c23d9645d2365fab49d10dd078
SHA1e150b3c9d10b26356f9682f5947423a7f5929076
SHA2564a8569cecb70601f7d1bbc2f672ec04cb6e2aa1c96e723a5023509ce266a088f
SHA51217bd036cd71fb3bf25b9e565b74b9912262818ea838122e5872c5e70488272e2bf8206d27f96861116c38d2655b1312ec64feae6e54e9d665d26335ce530f61d
-
Filesize
6.4MB
MD59f2f635a7f1a943ec218c00823fa3ac7
SHA1143ffbe37563732cbe9fc8cdbfcb552d973624d1
SHA25694479569c1a6f8bd39d72b20954d892434dcff21c45ef6bb65d5b93e6749720e
SHA512d30ecc6f82b49cda9306889c587cc9f5822115ff0b9d206dbb7dc8ebbda0f2657f14394d915a2e81c1a83571a1d684be9c56ef5e69999771625d0c3d612bce6e
-
Filesize
6.4MB
MD54ceffe504f656458704f30af33e9abc8
SHA18267fc8026b41fe655032068d145b4537b0a4e0d
SHA256020df25e97c3f46effa04224b7f42b367482e20d9ad660e45f45dbb0fce0f885
SHA51285f62a0e065e47d8f605e4a4613d966d97d6b2f557891b2b97a2241370e9559ad7b00e18bad044cef7899492b451d29762b10e59599fac18cfddcedd9b23e258
-
Filesize
6.4MB
MD5c4efd6d2653522d01a3b49ba36dba005
SHA122df8ccfeaabf45f1f4703c2f2474bbefb8011dd
SHA2565a3954232351e0875cd62e5ec2e5893070710e245e987a717913d7221ee53aa6
SHA512dc86f3c74561a5533c3a4ddfbd61695a84c27491221ce6fcd4f75064973a4823099702a0cd9c8d1a1474f2d20f0cb7040a6c4935c40a51b004cd22ebfc259fbf
-
Filesize
2.7MB
MD5a8c7c849a53ac4b29b41d37b0ba73d45
SHA1a18f60bfe3db9c41098a0a2426f287ea9ff9b187
SHA256364bc8118f7684a1ef299a1c1709333e87a8309e0ec687f251b060666e85c4bc
SHA5123e43fa7b90539e100e27780a25e3737af22af8415df340d09e1c7d37a0af4bd2d2ca936a40d556d2f0741f11e7a4d1579c0b30601704b601cd9c34955b645795
-
Filesize
899KB
MD5aa0449b97d533096d0f2a8a2ecaea630
SHA15f5a0c55b656f0c29938e81287b9b6a815face13
SHA25618da06578b28fc9bf450309c398fc63a1403a4d79b011d8169178ad1fa1f85c9
SHA512c59f45ee9a0e3f37fb98c71b4d5feaeffb18faffdb085da7242144eb5b49c80e9a43111528f86bf5cdd57640729e2304a9019b53fc7f5303d31b60c382bda64c