Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 06:45
Behavioral task
behavioral1
Sample
61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
Resource
win7-20240903-en
General
-
Target
61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
-
Size
8.8MB
-
MD5
730bf213d90c18e9bef986876e531811
-
SHA1
ee9ed047072eb38d07e051038a01d31b7f2863a1
-
SHA256
61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8
-
SHA512
797a6a69a0c7b66e5818ff6048bbf4c6db41af29abc05875bddfc93ca822304358fee1d9d656cae0156306a3c33c6bd1baccaf8e517ef2a46ca8a649e4c00735
-
SSDEEP
98304:wws2ANnKXOaeOgmhVCPnsmtk2aX235t9jZcDRH2WeOE4MvKey0GlJJNuZIqPF:mKXbeO7HCfL3uWMkSey0GBNuZLPF
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
resource yara_rule behavioral2/memory/816-19-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/816-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/816-20-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4876-28-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4876-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/5048-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/5048-44-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/5048-45-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 9 IoCs
resource yara_rule behavioral2/files/0x000d000000023b99-5.dat family_gh0strat behavioral2/memory/816-19-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/816-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/816-20-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4876-28-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4876-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/5048-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/5048-44-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/5048-45-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Xred family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240627578.txt" R.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Synaptics.exe -
Executes dropped EXE 9 IoCs
pid Process 1004 R.exe 816 N.exe 4876 TXPlatfor.exe 5048 TXPlatfor.exe 5100 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 5104 ._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 4624 Synaptics.exe 1964 ._cache_Synaptics.exe 2532 Remote Data.exe -
Loads dropped DLL 3 IoCs
pid Process 1004 R.exe 2096 svchost.exe 2532 Remote Data.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\240627578.txt R.exe File opened for modification C:\Windows\SysWOW64\ini.ini R.exe File created C:\Windows\SysWOW64\Remote Data.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Remote Data.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe -
resource yara_rule behavioral2/memory/816-19-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/816-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/816-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/816-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4876-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4876-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4876-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/5048-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/5048-44-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/5048-45-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language R.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TXPlatfor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remote Data.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4228 cmd.exe 4148 PING.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4148 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 824 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 5048 TXPlatfor.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 816 N.exe Token: SeLoadDriverPrivilege 5048 TXPlatfor.exe Token: 33 5048 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 5048 TXPlatfor.exe Token: 33 5048 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 5048 TXPlatfor.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 824 EXCEL.EXE 824 EXCEL.EXE 824 EXCEL.EXE 824 EXCEL.EXE 824 EXCEL.EXE 824 EXCEL.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3308 wrote to memory of 1004 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 82 PID 3308 wrote to memory of 1004 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 82 PID 3308 wrote to memory of 1004 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 82 PID 3308 wrote to memory of 816 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 85 PID 3308 wrote to memory of 816 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 85 PID 3308 wrote to memory of 816 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 85 PID 816 wrote to memory of 4228 816 N.exe 87 PID 816 wrote to memory of 4228 816 N.exe 87 PID 816 wrote to memory of 4228 816 N.exe 87 PID 4876 wrote to memory of 5048 4876 TXPlatfor.exe 88 PID 4876 wrote to memory of 5048 4876 TXPlatfor.exe 88 PID 4876 wrote to memory of 5048 4876 TXPlatfor.exe 88 PID 3308 wrote to memory of 5100 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 90 PID 3308 wrote to memory of 5100 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 90 PID 3308 wrote to memory of 5100 3308 61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 90 PID 4228 wrote to memory of 4148 4228 cmd.exe 91 PID 4228 wrote to memory of 4148 4228 cmd.exe 91 PID 4228 wrote to memory of 4148 4228 cmd.exe 91 PID 5100 wrote to memory of 5104 5100 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 92 PID 5100 wrote to memory of 5104 5100 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 92 PID 5100 wrote to memory of 5104 5100 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 92 PID 5100 wrote to memory of 4624 5100 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 94 PID 5100 wrote to memory of 4624 5100 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 94 PID 5100 wrote to memory of 4624 5100 HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe 94 PID 4624 wrote to memory of 1964 4624 Synaptics.exe 95 PID 4624 wrote to memory of 1964 4624 Synaptics.exe 95 PID 4624 wrote to memory of 1964 4624 Synaptics.exe 95 PID 2096 wrote to memory of 2532 2096 svchost.exe 102 PID 2096 wrote to memory of 2532 2096 svchost.exe 102 PID 2096 wrote to memory of 2532 2096 svchost.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"C:\Users\Admin\AppData\Local\Temp\61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1004
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4148
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exeC:\Users\Admin\AppData\Local\Temp\HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"C:\Users\Admin\AppData\Local\Temp\._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5104
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵PID:560
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240627578.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2532
-
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:824
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\._cache_HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
Filesize5.7MB
MD53b0c0331799d69225e1ba24e6cb0dfab
SHA15584f5b9aeff12b32d214d792e373901af71f3a3
SHA256bce1f6f6f6532266837b66d719bfbd177d406d6d7d8d5adfd5e7c59fcde651a5
SHA5122b1305374a734cf34661b4720e38fb9dc91a080d1f53be6092276f8f54041c4acd658b10fd65f5db21ccabee594c0a008727e3aad7d289147dff17a346998573
-
Filesize
27KB
MD547ed1502e3a8383c0b7e6f78bcde4d5b
SHA1c474cbef3946e66813cb6ca0ffa14b2be5e99185
SHA256ef55516518c1d61dd0dffb3b6b699faadaff73e0c85514725dede3adb3d378af
SHA5129f22dc1c85741711d4f789b23a6649fb449036a4d9a9ec9bb406fe3aec000ae6dbc8ce0e3cebe7acbc5477e0eaaea8a41d3d3193e2e5adc6f95648aa34166716
-
C:\Users\Admin\AppData\Local\Temp\HD_61afef8a0647c82037a325d162aff4f69a5bf11b276cc6d1d742f29435be2eb8.exe
Filesize6.4MB
MD5699db42d0470ab462d7176e92a188e95
SHA1afa2164839e79dd2dd1d39ab8a0e8183d3d07809
SHA2561ca4c084c7ff06666f9e3c64f5656738245b2f103788ead3d763205c959c875c
SHA5120c6b3bcc94617f2e8bc7c311dfb9004f7d187cdb4818582871e44c5269a7d39535905d6f175fd227d0ad178c93495765c2901a443882fe68e16f8b9c1a04ca1e
-
Filesize
2.4MB
MD5d5f3da928c026382b3f82a06da820223
SHA1cb3b4ff440ac05af54483435f1480627d2470c04
SHA2566836fa86cbb478beeff4bec5ebe44fd709b60d0ad9c363207b2a344c8b5445d1
SHA512006f8ff05e24d5baf4783e5fbd76b99187c7d1654ae28e5f3593908b72cdcfda6249a0c5e2f3c2d8b14d3677f0c8464de644f7231ea46f09a05aece0c2abc6c3
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
899KB
MD5291f8f2a54894a34ffe56edc5a1f05fd
SHA159c19d92f379115d86d678b67a15c50737c7cba4
SHA256c536ab535eb1ca8331ff32970d4c98c6f64c4eaec4a7fa3bfeb72581194654c4
SHA5123d2252ed49e110bcfe328b57fa272f7bdec3315ec6b64279c9ab2d89c5bf7532131d38ac427c870597eb8bc79c53749390c55b295cda6292768efbf3d4d557d7
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641