Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 06:49
Static task
static1
Behavioral task
behavioral1
Sample
1fc9b5094b733179f1033890c79b2e41_JaffaCakes118.rtf
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1fc9b5094b733179f1033890c79b2e41_JaffaCakes118.rtf
Resource
win10v2004-20240419-en
General
-
Target
1fc9b5094b733179f1033890c79b2e41_JaffaCakes118.rtf
-
Size
475KB
-
MD5
1fc9b5094b733179f1033890c79b2e41
-
SHA1
3f42f46d0398ae70f3435707c849fa7b7b9c62d3
-
SHA256
816c9d6d36399c0ef5bb8d0334ef40ba6668cd043be104a4ec3f4291ae1a4b86
-
SHA512
851a4874baa6206fe82ba7ee43df0211810b4390d91b7c70a02673e0826b1a7131c7da9c9b98e56a227d23daeb860957a5304281040b1580332c07f1f4f4cc84
-
SSDEEP
12288:477BeRhC1p1Cy4FkRIni8oNX9gjOxMygi2svV:ocy54FJi8IyygHu
Malware Config
Extracted
formbook
3.8
stn
wlojz.com
nrvonlineconnection.com
miracleworldofent.com
homeswithcherry.com
yeye79791.com
scshanglv.com
webtradenetthebronx.com
dsg-worldwide.com
bakshibeauty.com
17784724521.com
broadswordsinc.com
weekendq.com
sfnetstu.com
ashitsuyo.com
9410pe.com
bankfxrates.com
baidumedical.com
ripchesterfield.com
teepakthai.com
sabattu.com
net1234567.net
godcares4you.com
weighttrainingfordementia.com
rkpy9h.com
shewritestruths.com
cornerhyperbaric.com
rbvrua.info
komi.ltd
pfun.ltd
consolihealth.com
bendi.ink
slitere.com
mkutfuct.com
northtexashappyhour.com
mmrzj.com
aiafn.com
heatecc.com
babesteps.com
xn--4kq761dka4502cpnai5mng.net
clavons.com
brushmasterinc.com
speak.store
edenestateubud.com
leviathancombatcraft.com
chorewizards.biz
t9shpi.com
sholehelayyub.com
returnourbikes.com
tcusanationals.com
mudethreads.com
buycsy.com
theauditcommittee.net
rqhjf.info
kkgan81.com
thebighandbagshoplondon.com
footwaremachinery.com
vravp.info
billyworld.com
zentty.com
readytraffic4update.download
gestioncerveceria.com
tstmyanmar.com
coolstores.site
vellorabeautyrange.com
pendimora.com
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2512 1684 cmd.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2716 1684 cmd.exe WINWORD.EXE -
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2656-48-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/2656-53-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
raserver.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\-ZH8KLGP4FB = "C:\\Program Files (x86)\\Inz7dbbv\\update1bgd.exe" raserver.exe -
Executes dropped EXE 2 IoCs
Processes:
exe.exeexe.exepid process 2424 exe.exe 2656 exe.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeexe.exepid process 2524 cmd.exe 2424 exe.exe 2424 exe.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
exe.exeexe.exeraserver.exedescription pid process target process PID 2424 set thread context of 2656 2424 exe.exe exe.exe PID 2656 set thread context of 1356 2656 exe.exe Explorer.EXE PID 1888 set thread context of 1356 1888 raserver.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
raserver.exedescription ioc process File opened for modification C:\Program Files (x86)\Inz7dbbv\update1bgd.exe raserver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2732 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2464 taskkill.exe -
Processes:
raserver.exeWINWORD.EXEdescription ioc process Key created \Registry\User\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1684 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
exe.exeraserver.exepid process 2656 exe.exe 2656 exe.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe 1888 raserver.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
exe.exeexe.exeraserver.exepid process 2424 exe.exe 2656 exe.exe 2656 exe.exe 2656 exe.exe 1888 raserver.exe 1888 raserver.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskkill.exeexe.exeraserver.exedescription pid process Token: SeDebugPrivilege 2464 taskkill.exe Token: SeDebugPrivilege 2656 exe.exe Token: SeDebugPrivilege 1888 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1684 WINWORD.EXE 1684 WINWORD.EXE 1684 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEcmd.execmd.execmd.exedescription pid process target process PID 1684 wrote to memory of 2512 1684 WINWORD.EXE cmd.exe PID 1684 wrote to memory of 2512 1684 WINWORD.EXE cmd.exe PID 1684 wrote to memory of 2512 1684 WINWORD.EXE cmd.exe PID 1684 wrote to memory of 2512 1684 WINWORD.EXE cmd.exe PID 2512 wrote to memory of 2524 2512 cmd.exe cmd.exe PID 2512 wrote to memory of 2524 2512 cmd.exe cmd.exe PID 2512 wrote to memory of 2524 2512 cmd.exe cmd.exe PID 2512 wrote to memory of 2524 2512 cmd.exe cmd.exe PID 2524 wrote to memory of 2732 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 2732 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 2732 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 2732 2524 cmd.exe timeout.exe PID 1684 wrote to memory of 2716 1684 WINWORD.EXE cmd.exe PID 1684 wrote to memory of 2716 1684 WINWORD.EXE cmd.exe PID 1684 wrote to memory of 2716 1684 WINWORD.EXE cmd.exe PID 1684 wrote to memory of 2716 1684 WINWORD.EXE cmd.exe PID 2524 wrote to memory of 2424 2524 cmd.exe exe.exe PID 2524 wrote to memory of 2424 2524 cmd.exe exe.exe PID 2524 wrote to memory of 2424 2524 cmd.exe exe.exe PID 2524 wrote to memory of 2424 2524 cmd.exe exe.exe PID 2524 wrote to memory of 2464 2524 cmd.exe taskkill.exe PID 2524 wrote to memory of 2464 2524 cmd.exe taskkill.exe PID 2524 wrote to memory of 2464 2524 cmd.exe taskkill.exe PID 2524 wrote to memory of 2464 2524 cmd.exe taskkill.exe PID 2524 wrote to memory of 1892 2524 cmd.exe reg.exe PID 2524 wrote to memory of 1892 2524 cmd.exe reg.exe PID 2524 wrote to memory of 1892 2524 cmd.exe reg.exe PID 2524 wrote to memory of 1892 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2372 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2372 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2372 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2372 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2808 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2808 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2808 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2808 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2684 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2684 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2684 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2684 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2692 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2692 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2692 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2692 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2660 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2660 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2660 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2660 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2768 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2768 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2768 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2768 2524 cmd.exe reg.exe PID 2524 wrote to memory of 1200 2524 cmd.exe reg.exe PID 2524 wrote to memory of 1200 2524 cmd.exe reg.exe PID 2524 wrote to memory of 1200 2524 cmd.exe reg.exe PID 2524 wrote to memory of 1200 2524 cmd.exe reg.exe PID 2524 wrote to memory of 2000 2524 cmd.exe cmd.exe PID 2524 wrote to memory of 2000 2524 cmd.exe cmd.exe PID 2524 wrote to memory of 2000 2524 cmd.exe cmd.exe PID 2524 wrote to memory of 2000 2524 cmd.exe cmd.exe PID 2000 wrote to memory of 2020 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2020 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2020 2000 cmd.exe reg.exe PID 2000 wrote to memory of 2020 2000 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1356 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1fc9b5094b733179f1033890c79b2e41_JaffaCakes118.rtf"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT 15⤵
- Delays execution with timeout.exe
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\exe.exeC:\Users\Admin\AppData\Local\Temp\ExE.ExE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\exe.exeC:\Users\Admin\AppData\Local\Temp\ExE.ExE6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2656 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM winword.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f5⤵PID:1892
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f5⤵PID:2372
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f5⤵PID:2808
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f5⤵PID:2684
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f5⤵PID:2692
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f5⤵PID:2660
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f5⤵PID:2768
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f5⤵PID:1200
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"5⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"6⤵PID:2020
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"5⤵PID:1904
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"6⤵PID:1196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"5⤵PID:1064
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"6⤵PID:1068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"5⤵PID:2648
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"6⤵PID:2608
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"5⤵PID:1648
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"6⤵PID:1184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"5⤵PID:2148
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"6⤵PID:1176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"5⤵PID:1312
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"6⤵PID:1188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"5⤵PID:2408
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"6⤵PID:2672
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt3⤵
- Process spawned unexpected child process
PID:2716 -
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2772
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2652
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1872
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1672
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"3⤵PID:404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c9ca8724322ff6b667686b515de69c57
SHA153d5a05e851dd804f98c88bd3e5936f21d9f87f3
SHA256e8a2ea80da5c919f5c6717eab032357c37053f5c6da9925f9aec5cae2bc7a9a4
SHA512bb3cd943e1261b7ac3331c99838fd425798f3600d29ebfccd5c35d981593c522dacf0ed6c5ae5c4a8e910535559ab46c42dc1b767bea093a90d40a7df1058c94
-
Filesize
136B
MD5ad4e94119580d0ec73cc15fc835ce2af
SHA1e89414522edb7c800880bab55a1bb8edaf9c953a
SHA256b8783ae2f2a9acf183411b8acf644ca2187aa660a56a34ab89c9084e8d5af72c
SHA5124328c470ecfd292adbd94d798591af7d688ab935dadb07d53779744a9928017b20f2dec17093177b1a27db08fc07f7601704fd9883c49c86a6237bdb063b5f07
-
Filesize
424B
MD595d97cf47fa918e0fabb5d2ccb7ac691
SHA1ca34525fa702ff74898d0c7d286416d1cc1a2155
SHA25658578fdb3e96c8bbd93503fc2dbedc48310b4d4745dccb01c2bdf861bfe90f01
SHA512717d0039a1ebbbb0957ee84ff2c834f4edb9a79d4d0026a079d304bdfd4bee51aa0f5d847f8668bb64c232a1e49c68bb589b4af065170bfff2ffd96ff5137557
-
Filesize
65KB
MD553d0fbe6dda54c836de6ed8d7b11b0cf
SHA15b73398fe7a0a58d21c746fa5a06aeb7bf1f6ea1
SHA256766b4a6e4dcd678dd6b7424202d3a5be2f9d5f6b9d1df31b3a8f335405e30faa
SHA512cb8826f0cf12b06a0db7031a4b8f458f28d5133f99ccf2d6a3ec7fb180dcdbc43ba34325f340e7667dd5963bf4a746a267efff452beb8f0b8fde57aec0d74644
-
Filesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
Filesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
Filesize
227KB
MD51542e30e228c47560ed2ad6bc58388d5
SHA1f221e6278fe7764d5fc5eb6c5a63977e479b22f0
SHA256d738c9fc2d162a7d76e0e965ab9ceee7f14e2360abb37821b1e7ddfa6af40e31
SHA512ba78316f146a65ae8c772344edc5c4bd3c41f5bbccc5d7bc64397f569a3990e10723c627402ae9c921b5fcd05db9bf698e16d33d9f5380278e6799569c0ed750
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6