Analysis
-
max time kernel
92s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 11:23
Static task
static1
Behavioral task
behavioral1
Sample
f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe
-
Size
516KB
-
MD5
f362dd71d128ea233ba0976d61589331
-
SHA1
e1faaf133282c1efb78ef54b3b683c651df306a7
-
SHA256
5450d70a103c7439fb6f9887bb6660cb2e07a7d6c4f0174a4fc7397a6742403d
-
SHA512
5a4ddf03918adc1d4081a96251175d1d7130b08aa81b9f46697ba3c0a148f1f69e7b72d37643047143a4569a744d628ce3cc931edb5d6c70b1213c45fd0a74f1
-
SSDEEP
6144:qOOr9BJ/GKWWBNU6ITLBi0qttclOKgU91BKLB15kAydiib4xMhj7TSnRHNaNul+o:3eBNUbTVO86UAtkj7b4xMtA1NaNZeaU
Malware Config
Signatures
-
Expiro payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1252-17-0x000000013F4F0000-0x000000013F5AD000-memory.dmp family_expiro1 behavioral1/memory/2564-18-0x0000000010000000-0x00000000100B2000-memory.dmp family_expiro1 behavioral1/memory/2564-19-0x0000000010000000-0x00000000100B2000-memory.dmp family_expiro1 behavioral1/memory/2564-26-0x0000000010000000-0x00000000100B2000-memory.dmp family_expiro1 behavioral1/memory/684-112-0x000000013FD40000-0x000000013FE11000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 9 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exemscorsvw.exemscorsvw.exeelevation_service.exepid process 2564 mscorsvw.exe 468 2432 mscorsvw.exe 1360 mscorsvw.exe 684 mscorsvw.exe 1372 dllhost.exe 2532 mscorsvw.exe 392 mscorsvw.exe 2928 elevation_service.exe -
Loads dropped DLL 5 IoCs
Processes:
pid process 468 468 468 468 468 -
Processes:
mscorsvw.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3787592910-3720486031-2929222812-1000 mscorsvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3787592910-3720486031-2929222812-1000\EnableNotifications = "0" mscorsvw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
mscorsvw.exedescription ioc process File opened (read-only) \??\Y: mscorsvw.exe File opened (read-only) \??\J: mscorsvw.exe File opened (read-only) \??\O: mscorsvw.exe File opened (read-only) \??\Q: mscorsvw.exe File opened (read-only) \??\W: mscorsvw.exe File opened (read-only) \??\E: mscorsvw.exe File opened (read-only) \??\G: mscorsvw.exe File opened (read-only) \??\H: mscorsvw.exe File opened (read-only) \??\R: mscorsvw.exe File opened (read-only) \??\S: mscorsvw.exe File opened (read-only) \??\U: mscorsvw.exe File opened (read-only) \??\X: mscorsvw.exe File opened (read-only) \??\I: mscorsvw.exe File opened (read-only) \??\M: mscorsvw.exe File opened (read-only) \??\N: mscorsvw.exe File opened (read-only) \??\T: mscorsvw.exe File opened (read-only) \??\V: mscorsvw.exe File opened (read-only) \??\Z: mscorsvw.exe File opened (read-only) \??\K: mscorsvw.exe File opened (read-only) \??\L: mscorsvw.exe File opened (read-only) \??\P: mscorsvw.exe -
Drops file in System32 directory 30 IoCs
Processes:
f362dd71d128ea233ba0976d61589331_JaffaCakes118.exemscorsvw.exedescription ioc process File opened for modification \??\c:\windows\system32\ieetwcollector.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created \??\c:\windows\system32\fcghnmce.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\vds.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\lsass.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\msdtc.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\wbengine.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\alg.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\svchost.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\fxssvc.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\fxssvc.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\ieetwcollector.exe mscorsvw.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe mscorsvw.exe File created \??\c:\windows\system32\idcgmocn.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\snmptrap.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\vssvc.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe mscorsvw.exe File created \??\c:\windows\system32\dkocaqcp.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msiexec.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\msiexec.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\searchindexer.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\msdtc.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\dllhost.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created \??\c:\windows\system32\ofnbnqdo.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\ui0detect.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\lsass.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created \??\c:\windows\system32\qnklkkkd.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\locator.exe mscorsvw.exe File opened for modification \??\c:\windows\system32\svchost.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\system32\alg.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created \??\c:\windows\system32\ncnqkmkk.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe -
Drops file in Program Files directory 17 IoCs
Processes:
mscorsvw.exef362dd71d128ea233ba0976d61589331_JaffaCakes118.exedescription ioc process File created \??\c:\program files (x86)\mozilla maintenance service\qfjcfggd.tmp mscorsvw.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe mscorsvw.exe File created \??\c:\program files (x86)\microsoft office\office14\gejpjiok.tmp mscorsvw.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe mscorsvw.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe mscorsvw.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created \??\c:\program files (x86)\common files\microsoft shared\source engine\ddibegkm.tmp mscorsvw.exe File created \??\c:\program files\google\chrome\Application\106.0.5249.119\modjhibg.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe mscorsvw.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe mscorsvw.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe mscorsvw.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe mscorsvw.exe -
Drops file in Windows directory 40 IoCs
Processes:
f362dd71d128ea233ba0976d61589331_JaffaCakes118.exemscorsvw.exemscorsvw.exemscorsvw.exedllhost.exedescription ioc process File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehsched.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created \??\c:\windows\microsoft.net\framework\v2.0.50727\mbpdmfji.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created \??\c:\windows\microsoft.net\framework\v4.0.30319\ajikhphp.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe mscorsvw.exe File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\jkjacjpn.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\ngennicupdatelock.dat mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log mscorsvw.exe File created \??\c:\windows\microsoft.net\framework64\v4.0.30319\jkepffmm.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat mscorsvw.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created \??\c:\windows\ehome\ijehhond.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\cfkhminb.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log mscorsvw.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2BA4CE36-22F5-4282-969B-C71353419666}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe mscorsvw.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created \??\c:\windows\microsoft.net\framework64\v2.0.50727\hffqmfpc.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat mscorsvw.exe File created \??\c:\windows\ehome\hfbgnjda.tmp f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehsched.exe mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2BA4CE36-22F5-4282-969B-C71353419666}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
mscorsvw.exepid process 684 mscorsvw.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
f362dd71d128ea233ba0976d61589331_JaffaCakes118.exemscorsvw.exedescription pid process Token: SeTakeOwnershipPrivilege 1252 f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe Token: SeShutdownPrivilege 684 mscorsvw.exe Token: SeShutdownPrivilege 684 mscorsvw.exe Token: SeShutdownPrivilege 684 mscorsvw.exe Token: SeShutdownPrivilege 684 mscorsvw.exe Token: SeTakeOwnershipPrivilege 684 mscorsvw.exe Token: SeShutdownPrivilege 684 mscorsvw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
mscorsvw.exedescription pid process target process PID 684 wrote to memory of 2532 684 mscorsvw.exe mscorsvw.exe PID 684 wrote to memory of 2532 684 mscorsvw.exe mscorsvw.exe PID 684 wrote to memory of 2532 684 mscorsvw.exe mscorsvw.exe PID 684 wrote to memory of 392 684 mscorsvw.exe mscorsvw.exe PID 684 wrote to memory of 392 684 mscorsvw.exe mscorsvw.exe PID 684 wrote to memory of 392 684 mscorsvw.exe mscorsvw.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
mscorsvw.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer mscorsvw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f362dd71d128ea233ba0976d61589331_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2564
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2432
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1360
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:684 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 198 -NGENProcess 19c -Pipe 1a8 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 228 -NGENProcess 208 -Pipe 224 -Comment "NGen Worker Process"2⤵
- Executes dropped EXE
PID:392
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1372
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD55752edcd9a36f15b74aefb44217d8017
SHA12925da7d466315236881c67620e28f8e20fba1af
SHA2564aee9d0106c4cb1e91f5483ef66bc9d9027d3c7516a1ff53634f35991d3bfa17
SHA5129d5753c45341f2ec2da24602f38c3e1d2a91764cad882655f0bebed55de8dd5a111fb9f646d11df3b615ce15a1127b1b353512505a719ec05db3a1ec86172a3e
-
Filesize
301KB
MD507623b9bc15a647ac3ba8ffd9eb16305
SHA1e2df30634f8d2e565de8800e6f2c11cdbf7fe137
SHA2568e2b57fbb8aa21570852831757849159175e73a997427e34d17caaeb31fd21fd
SHA512a7843c76dd68c4631c481f292cdce210babe89a3ab7979083b890a3e1d8b283d04e260e431a83a1f5618534451ccd2c29f732e33e9dfd888c9f15b02bf35ed19
-
Filesize
1003KB
MD5c00a7f11108f8b006f99e17ae922d21d
SHA1a9374642cb47dc0d2875194e7fa044b0d2996735
SHA256ef2032ce6f6b36fe03e9948786340c2953e757b13727729cc3fbf56beed96b81
SHA51291ed3f6a1b17abc851b799ecaaef9444d721c0481512c7e1cb9e7a81ac875490af1c5140063120ed6393eefc224b60b6ea98d029f5fbe3a753529ea0c5bbf08d
-
Filesize
332KB
MD5e566311c92ceb15feba0b0848ef715cb
SHA165a3790078b010bfe3fce00e5696060911f7f400
SHA256f97d99cfa54379c1ac7550bd2fe7b36f5727b39003f20380537ed44c5f2cbbf2
SHA5121502126cfa09d7d010b0fc9921c4e15e9b03b42d6a9ed1d94316cd08f77d86838e55c937f7e0adb0198e2e7f8a5f1a4e0460f237ea46239d55db091a6c1210ad
-
Filesize
253KB
MD56547287f46a787cacd2cfdd4e97d78da
SHA1d83d00201159df05e97467df6ef455a41a1bf6ea
SHA25656be8a2270369de2c07f8aa1e8d4c7125511614ea214dc9d1253c582ca435c45
SHA5123fc7c33c910d65a7f2ac0ff345b57da5d7581369a959640dbbc751b24aa53ee554ebaf8912ecce6a288212464ff0ca189c67c32c2abf3a8772f8b79efc8a1e79
-
Filesize
29.8MB
MD5fccf4e45a86209c37893a0e5ee9ee677
SHA15622e8ede7aea8c8bce9a96afbed77d4d803f292
SHA256b7a391082f106c4ab253f9f3da53e2b5d68785b7fcd80b9651b9dfa6de6d7c97
SHA512321bb1c0134410f462d09864baeced01d5dd6fe17cd6e26af830c4cd7d38dd9628dfbbc36d2050db500991b9af6f90862ae7be272937aa5c58f71c9afd47a526
-
Filesize
922KB
MD556960f22a7bc0e5c6a166c633fc38239
SHA1125f2a9c89ef07447ae2577c56eb39bfb29e71a0
SHA25612cb2c474a0a1903f95e5b6ee98d3b310bff3ea28f94b2b3f61700b185eab02b
SHA51202d95ba7892d08885cd21ca36e0e50539c6109f203340c54a786f0e44f4350b52c8e0d74caf8c40d692e12ecb53dac20b6ea9b66ca0ec8a8c2ac4bfbe9ed0cd2
-
Filesize
367KB
MD5380717b8f63f09e0ef480892350410db
SHA17e7ae7c30567456c43bb0adb9332032cfa6132ce
SHA256fb31970804ef8c3fd93188b80a51e46ecd3a28077473a243c7d9b78cae291c92
SHA51266d4d07b3aa5c98d0694d0cb5579888af41651d61c4dbc6573aab814c56a8b13848a91094903ac6012e2c5e7b8e8a78d4c7c7ca5370f0ebd3de05e05e828a365
-
Filesize
279KB
MD5c1623b03458c3f057e91d3daacacbf30
SHA12b71cb845b75edb1d0937a21e44246f5230b668b
SHA256a2d150055b94977ef58a8f304f3ed03fc7f709034aa3c948af4065c196cfca77
SHA5125422db1ef286722ea76979d5e20fd094c89bc7a113254338243987eb675c43c37a45e82c8d4dac161094d91c489e4852282f27e8f9a4d0c556247acab5c72e12
-
Filesize
320KB
MD591e2d65c58d3ecb4fec8b0c53d53cb2a
SHA1b77971c65f845a27aa9523661e4d92b5b4871051
SHA256273c6cd234d04b2d113e00883d9902a3da6bda65352133381ffc4f572f0100dc
SHA5127f381168e082145d9ba6afd18ed8f78afc1b5afaef117755f91587346a091eca4072c9c06570371c8008179b1a3e0e77d64964d9035656081a682a05d7b9134a
-
Filesize
916KB
MD55612537b356833ae5e71087578276623
SHA1e0f2dcecdec7695a718d5b8d85131876a04381e1
SHA2562f10df661b238724df5517682e203fe05f61dbc441a2647e44456da8a576b905
SHA512c0ff8b46b8942131b02caee48dc9e5becc3719a16aa1e51ab8d81013f5368e5e199d38ad7a592fdad21544966f3a06b63fb88e02eca20f69679225eba9ca26c0
-
Filesize
381KB
MD51fc4a22f83f3837f96609e1cfe3922e0
SHA120f0d3fdd58ea123de071b50b21bf705d05679a5
SHA25654a4d43de8e9f124b50693c25b3ae40d4603cc0a027d9cf28f565ec4aa9ab9ec
SHA512bfce44418c2b573e5e8bbbbf4a387d755bd676bc57460aa2a8e6aee2d28d03125ecba64018fa8a37beafb05deb286fc8a51bf8aefb18b57a638b8069e2cbb6c0
-
Filesize
1.8MB
MD5719e69f871aaf5f4131cb18f71b75065
SHA1d20115f3ca22f32a410faf394a042e6cedf3934b
SHA256d5d8fe2e4c4ab18939b3e22bee29c083d3536f9591a15fdeb22b59ab9b4843d2
SHA512fabb8b2baae71dc84ba9a94a152980ddf6436e49a48843adbdca67dc55005d11e23f40d1571f30c0e305513d5373bbf7f14ea5a4bfb96d956b2a17855882a3f5
-
Filesize
324KB
MD5dc2834c53f38796f0bb3a04d44abef5d
SHA16604d9c7feb9acdd2efae8a61560d96fab495ec5
SHA256a5f305427c7210f37dee719d846185d496b0344157c05deeec3e79f495e8dd39
SHA512ccfc5c1593f042174ef0299203068d25ad69a54badbd8936943b0ac521fe384245ec1147f2d1a71f058b301010b1aeed14c6617b1fb353ef88cd541619ba25ff
-
Filesize
354KB
MD5a6047a8b72a939381222c048cf13a623
SHA121b5087d3d7300f296b2432e0fbff740ea06b5cb
SHA2561d8021df0aff2ad897ef55b01e548a89ceb8de889e8d01926cdbedbfa216f1de
SHA512e865074ef1a169be5880c366a5fcef58cfb4f66d8389287a3cd37d539e99d232dcbe0755b9c503aae4aa9d16fec8d73dcd5344cf96697ec5930f13ffa1e43eb5