Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 20:40
Static task
static1
Behavioral task
behavioral1
Sample
e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
e33e3d1648bd9a98fc3875c1eb376889
-
SHA1
b684d4ea15479d2a09448d59d5aa6db5d666b012
-
SHA256
8be67974b71de6b2a70585cf81fe0d6a5cf67e9c03a667834e4a177e210ab500
-
SHA512
0948ffad6846adcf67700430d6dea1370f7948fa65fe3a17e391b4f2f49ce5cf262fec5226011d2951268142c3ee4f60ceb8d050052ed0a6f10e042d7cbb6153
-
SSDEEP
49152:A+mKqRWCKBA8N/7dtgQxmapsprT03R/zu7uEI:A7ReBxNLgkXp6w5zEuV
Malware Config
Signatures
-
SectopRAT payload 17 IoCs
resource yara_rule behavioral2/memory/1136-14-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-16-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-59-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-77-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-104-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-107-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-187-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-216-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-220-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-221-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-224-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-225-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-226-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-227-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-228-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-229-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat behavioral2/memory/1136-230-0x0000000000990000-0x00000000012B8000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation etc.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation svchost32.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation services32.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation svchost32.exe -
Executes dropped EXE 6 IoCs
pid Process 5100 etc.exe 1136 build.exe 652 svchost32.exe 4984 services32.exe 5028 svchost32.exe 4956 sihost32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 42 raw.githubusercontent.com 43 raw.githubusercontent.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\Microsoft\Telemetry\sihost32.log svchost32.exe File created C:\Windows\system32\services32.exe svchost32.exe File opened for modification C:\Windows\system32\services32.exe svchost32.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe svchost32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe 1136 build.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2156 schtasks.exe 3132 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1968 powershell.exe 1968 powershell.exe 5000 powershell.exe 5000 powershell.exe 1736 powershell.exe 1736 powershell.exe 2864 powershell.exe 2864 powershell.exe 652 svchost32.exe 4080 powershell.exe 4080 powershell.exe 4080 powershell.exe 3344 powershell.exe 3344 powershell.exe 1556 powershell.exe 1556 powershell.exe 3912 powershell.exe 3912 powershell.exe 5028 svchost32.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1136 build.exe Token: SeDebugPrivilege 2864 powershell.exe Token: SeDebugPrivilege 652 svchost32.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 3344 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 3912 powershell.exe Token: SeDebugPrivilege 5028 svchost32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1136 build.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 4992 wrote to memory of 5100 4992 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 89 PID 4992 wrote to memory of 5100 4992 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 89 PID 4992 wrote to memory of 1136 4992 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 90 PID 4992 wrote to memory of 1136 4992 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 90 PID 4992 wrote to memory of 1136 4992 e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe 90 PID 5100 wrote to memory of 2388 5100 etc.exe 92 PID 5100 wrote to memory of 2388 5100 etc.exe 92 PID 2388 wrote to memory of 1968 2388 cmd.exe 94 PID 2388 wrote to memory of 1968 2388 cmd.exe 94 PID 2388 wrote to memory of 5000 2388 cmd.exe 95 PID 2388 wrote to memory of 5000 2388 cmd.exe 95 PID 2388 wrote to memory of 1736 2388 cmd.exe 96 PID 2388 wrote to memory of 1736 2388 cmd.exe 96 PID 2388 wrote to memory of 2864 2388 cmd.exe 97 PID 2388 wrote to memory of 2864 2388 cmd.exe 97 PID 5100 wrote to memory of 3572 5100 etc.exe 101 PID 5100 wrote to memory of 3572 5100 etc.exe 101 PID 3572 wrote to memory of 652 3572 cmd.exe 103 PID 3572 wrote to memory of 652 3572 cmd.exe 103 PID 652 wrote to memory of 4992 652 svchost32.exe 105 PID 652 wrote to memory of 4992 652 svchost32.exe 105 PID 4992 wrote to memory of 2156 4992 cmd.exe 108 PID 4992 wrote to memory of 2156 4992 cmd.exe 108 PID 652 wrote to memory of 4984 652 svchost32.exe 109 PID 652 wrote to memory of 4984 652 svchost32.exe 109 PID 652 wrote to memory of 3152 652 svchost32.exe 110 PID 652 wrote to memory of 3152 652 svchost32.exe 110 PID 3152 wrote to memory of 1208 3152 cmd.exe 112 PID 3152 wrote to memory of 1208 3152 cmd.exe 112 PID 4984 wrote to memory of 3356 4984 services32.exe 114 PID 4984 wrote to memory of 3356 4984 services32.exe 114 PID 3356 wrote to memory of 4080 3356 cmd.exe 116 PID 3356 wrote to memory of 4080 3356 cmd.exe 116 PID 3356 wrote to memory of 3344 3356 cmd.exe 117 PID 3356 wrote to memory of 3344 3356 cmd.exe 117 PID 3356 wrote to memory of 1556 3356 cmd.exe 120 PID 3356 wrote to memory of 1556 3356 cmd.exe 120 PID 3356 wrote to memory of 3912 3356 cmd.exe 121 PID 3356 wrote to memory of 3912 3356 cmd.exe 121 PID 4984 wrote to memory of 2972 4984 services32.exe 122 PID 4984 wrote to memory of 2972 4984 services32.exe 122 PID 2972 wrote to memory of 5028 2972 cmd.exe 124 PID 2972 wrote to memory of 5028 2972 cmd.exe 124 PID 5028 wrote to memory of 5096 5028 svchost32.exe 125 PID 5028 wrote to memory of 5096 5028 svchost32.exe 125 PID 5028 wrote to memory of 4956 5028 svchost32.exe 127 PID 5028 wrote to memory of 4956 5028 svchost32.exe 127 PID 5096 wrote to memory of 3132 5096 cmd.exe 128 PID 5096 wrote to memory of 3132 5096 cmd.exe 128 PID 5028 wrote to memory of 4868 5028 svchost32.exe 129 PID 5028 wrote to memory of 4868 5028 svchost32.exe 129 PID 4868 wrote to memory of 3996 4868 cmd.exe 131 PID 4868 wrote to memory of 3996 4868 cmd.exe 131 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e33e3d1648bd9a98fc3875c1eb376889_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Roaming\etc.exeC:\Users\Admin\AppData\Roaming\etc.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\etc.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\etc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'6⤵
- Creates scheduled task(s)
PID:2156
-
-
-
C:\Windows\system32\services32.exe"C:\Windows\system32\services32.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit8⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'9⤵
- Creates scheduled task(s)
PID:3132
-
-
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"8⤵
- Executes dropped EXE
PID:4956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"8⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 39⤵PID:3996
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵PID:1208
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\build.exeC:\Users\Admin\AppData\Roaming\build.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
539B
MD5b245679121623b152bea5562c173ba11
SHA147cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d
SHA25673d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f
SHA51275e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
944B
MD5c94af379fe0d2afdabe4476dc7232198
SHA1ae6ebf37fd84cf66dcd330e998f972a4d0a21b72
SHA2567a1017d506434a4bd30a8ab78c064881313d14d95bc8b4e13589824b4caf9a07
SHA51280e112fe35b27c0e85b657ec158583faf742157f27e8ff00ea1e4f3d688ac173bd154bb0dec19aee43f7035c2b4b7156373a52f0642773dee0a01fcb37844144
-
Filesize
944B
MD52c7e4871337dee163e9cd17ce1b45a77
SHA16efdece7fced31fb7025bc3ad8ce74f0949ce365
SHA2562e64141309e64d43c46601d6e1feae8f2c143b9fddb606bd23d934fe92b6c205
SHA5129a4e9a8ab1fd5670ed1845a74b3c402f4cc3a4a59e9c4e77e05c5b311fe465db3a818d7dfb836d4d9cd090b0d5d23b70e1d6d2d1bcdf91969b74284b0645e1fd
-
Filesize
944B
MD5ee2fe35371b1ed06e7aa7ed85fddfae2
SHA1827e236371889414ba9a9a4a155137a64a9c84fd
SHA2562522087b08697940bed784ba9a6d5853a8a5562810d2743b3587994bab380da6
SHA512a4ab296556e75a0578ed610217bc6032c2706012aebdb7ac882b5355b7d436a3aa044ce7236a7ace51f92bbb032ad09d9d239c9f9b0582604de3247b1cc46638
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD598baf5117c4fcec1692067d200c58ab3
SHA15b33a57b72141e7508b615e17fb621612cb8e390
SHA25630bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51
SHA512344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d
-
Filesize
944B
MD53072fa0040b347c3941144486bf30c6f
SHA1e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA51262df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
134KB
MD5c0a0f69a8f0bd1078e29a87b690b1dd5
SHA1188e719ae4fb1a14f5cc41957c6b399ce63f4bae
SHA2562e95db0ce8987a00938465dfa31e470a70d01a44243b4dbfa843ba7072f23312
SHA5128b37d2c80d2ccdbcf8644b5e816b106de2715b30e0832c22790868ce8c03b0548828898436789743f73250d0a9f4df5da1dc364b0abef5ca8bd4402f87e09020
-
Filesize
2.0MB
MD540ad1426ea2983757438d993fd878437
SHA12ebc872bb918fae9b54f8dc53468faf87c4a2e7e
SHA25683322d1873b5690241c4b3d29102d577ccf65d4307141d11a5300a16a38484e2
SHA5127bc43d65315c1c1b18a9b05b33a760478adda7a8eada0043931ebc0198ec35a396395f2ed4dafae5df0c9ece02b4b9b3b92c3a42876c98c04deec8c0646ee646
-
Filesize
272KB
MD55faf6449781d220959da0baf48d46f74
SHA1ca583a6bcf391458da10cf4a57353a4c986c5883
SHA256a61f251f1d025884d666a845710b903b566d3f2abc5a64509eba474b0101a672
SHA51298d4e333263d56bc0fda0c255c0ac61ac53df954c7c8511e0bf9611a0b9a82913e530b29e380d823e7ea522ae8626b8e10b79cb47e49fb82d138745bbcc9e379
-
Filesize
59KB
MD505338b92b386f4757a399835b5807a28
SHA19d20f6c20d441b6848adaab170e27d1e317032e2
SHA256f9c2c1db5dedb4aa64002541a824d44e51469091f5f9d7a9da46bee35f2d8a6d
SHA512ea1c186c646f734e3f82e2921e50e34c4a8b1036e5fcc01d74f601930f7b09c7416bdc3bfc57d9b21295b1b1fad3ecef1216ff3b25f3fa43d9167c17131afc0f