Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 05:59
Static task
static1
Behavioral task
behavioral1
Sample
53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe
-
Size
418KB
-
MD5
53474c750c9187e0490082d8e1c11a6d
-
SHA1
a53490817cd28f7f9d3689c1dff73308e39ea8c0
-
SHA256
22761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786
-
SHA512
77ffaf942f932c2ec81a1ca2c0b9f321c28745fd8f0cd1f91f8e0b7bd69fc82099b81cd736514309e8f431b7a6cbecf19ee154844587e3fbd1c097ec969c4f92
-
SSDEEP
12288:qINL5QskZOSBJRVhQKUN3iduyA3fpIyTCP/tkhDzOkZ:n5mZOoJPCF3iduy669ViDykZ
Malware Config
Signatures
-
Luminosity
Luminosity is a RAT family that was on sale, while claiming to be a system administration utility.
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,\"C:\\Windows\\system32\\clientsvr.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\ProgramData\\187797\\svchost.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\KCAEOBcI.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\YQUGjTcs.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\jjLAQzDp.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\HaKEsoHb.exe" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe -
Executes dropped EXE 7 IoCs
pid Process 2456 svchost.exe 5356 svchost.exe 4240 svchost.exe 3552 svchost.exe 6136 svchost.exe 4824 svchost.exe 3080 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Adobe Startup Utility = "\"C:\\ProgramData\\187797\\svchost.exe\"" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\clientsvr.exe svchost.exe File opened for modification C:\Windows\SysWOW64\clientsvr.exe svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 5780 set thread context of 4604 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 90 PID 4604 set thread context of 1896 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 98 PID 2456 set thread context of 4824 2456 svchost.exe 114 PID 4824 set thread context of 3080 4824 svchost.exe 121 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 1896 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 1896 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe 3080 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1896 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3080 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3080 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5780 wrote to memory of 2524 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 85 PID 5780 wrote to memory of 2524 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 85 PID 5780 wrote to memory of 2524 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 85 PID 2524 wrote to memory of 5324 2524 csc.exe 88 PID 2524 wrote to memory of 5324 2524 csc.exe 88 PID 2524 wrote to memory of 5324 2524 csc.exe 88 PID 5780 wrote to memory of 1828 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 89 PID 5780 wrote to memory of 1828 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 89 PID 5780 wrote to memory of 1828 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 89 PID 5780 wrote to memory of 4604 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 90 PID 5780 wrote to memory of 4604 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 90 PID 5780 wrote to memory of 4604 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 90 PID 5780 wrote to memory of 4604 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 90 PID 5780 wrote to memory of 4604 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 90 PID 5780 wrote to memory of 4604 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 90 PID 5780 wrote to memory of 4604 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 90 PID 5780 wrote to memory of 4604 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 90 PID 5780 wrote to memory of 4192 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 91 PID 5780 wrote to memory of 4192 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 91 PID 5780 wrote to memory of 4192 5780 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 91 PID 4604 wrote to memory of 4940 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 93 PID 4604 wrote to memory of 4940 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 93 PID 4604 wrote to memory of 4940 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 93 PID 4192 wrote to memory of 712 4192 cmd.exe 96 PID 4192 wrote to memory of 712 4192 cmd.exe 96 PID 4192 wrote to memory of 712 4192 cmd.exe 96 PID 4940 wrote to memory of 3624 4940 csc.exe 97 PID 4940 wrote to memory of 3624 4940 csc.exe 97 PID 4940 wrote to memory of 3624 4940 csc.exe 97 PID 4604 wrote to memory of 1896 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 98 PID 4604 wrote to memory of 1896 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 98 PID 4604 wrote to memory of 1896 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 98 PID 4604 wrote to memory of 1896 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 98 PID 4604 wrote to memory of 1896 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 98 PID 4604 wrote to memory of 1896 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 98 PID 4604 wrote to memory of 1896 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 98 PID 4604 wrote to memory of 1896 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 98 PID 4604 wrote to memory of 2596 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 99 PID 4604 wrote to memory of 2596 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 99 PID 4604 wrote to memory of 2596 4604 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 99 PID 2596 wrote to memory of 5328 2596 cmd.exe 101 PID 2596 wrote to memory of 5328 2596 cmd.exe 101 PID 2596 wrote to memory of 5328 2596 cmd.exe 101 PID 1896 wrote to memory of 2456 1896 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 106 PID 1896 wrote to memory of 2456 1896 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 106 PID 1896 wrote to memory of 2456 1896 53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe 106 PID 2456 wrote to memory of 4280 2456 svchost.exe 107 PID 2456 wrote to memory of 4280 2456 svchost.exe 107 PID 2456 wrote to memory of 4280 2456 svchost.exe 107 PID 4280 wrote to memory of 2288 4280 csc.exe 109 PID 4280 wrote to memory of 2288 4280 csc.exe 109 PID 4280 wrote to memory of 2288 4280 csc.exe 109 PID 2456 wrote to memory of 3552 2456 svchost.exe 110 PID 2456 wrote to memory of 3552 2456 svchost.exe 110 PID 2456 wrote to memory of 3552 2456 svchost.exe 110 PID 2456 wrote to memory of 6136 2456 svchost.exe 111 PID 2456 wrote to memory of 6136 2456 svchost.exe 111 PID 2456 wrote to memory of 6136 2456 svchost.exe 111 PID 2456 wrote to memory of 5356 2456 svchost.exe 112 PID 2456 wrote to memory of 5356 2456 svchost.exe 112 PID 2456 wrote to memory of 5356 2456 svchost.exe 112 PID 2456 wrote to memory of 4240 2456 svchost.exe 113 PID 2456 wrote to memory of 4240 2456 svchost.exe 113 PID 2456 wrote to memory of 4240 2456 svchost.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zf7x1xlp.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES45A5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC45A4.tmp"3⤵PID:5324
-
-
-
C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"2⤵PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ydhyucie.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES496E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC496D.tmp"4⤵PID:3624
-
-
-
C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\ProgramData\187797\svchost.exe"C:\ProgramData\187797\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tagqtnzs.cmdline"5⤵
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES571A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5719.tmp"6⤵PID:2288
-
-
-
C:\ProgramData\187797\svchost.exe"C:\ProgramData\187797\svchost.exe"5⤵
- Executes dropped EXE
PID:3552
-
-
C:\ProgramData\187797\svchost.exe"C:\ProgramData\187797\svchost.exe"5⤵
- Executes dropped EXE
PID:6136
-
-
C:\ProgramData\187797\svchost.exe"C:\ProgramData\187797\svchost.exe"5⤵
- Executes dropped EXE
PID:5356
-
-
C:\ProgramData\187797\svchost.exe"C:\ProgramData\187797\svchost.exe"5⤵
- Executes dropped EXE
PID:4240
-
-
C:\ProgramData\187797\svchost.exe"C:\ProgramData\187797\svchost.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4824 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m71v4vor.cmdline"6⤵PID:5184
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58FE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC58FD.tmp"7⤵PID:4324
-
-
-
C:\ProgramData\187797\svchost.exe"C:\ProgramData\187797\svchost.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3080
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\HaKEsoHb.exe"6⤵PID:2284
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\HaKEsoHb.exe"7⤵
- Modifies WinLogon for persistence
PID:5608
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\jjLAQzDp.exe"5⤵PID:5888
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\jjLAQzDp.exe"6⤵
- Modifies WinLogon for persistence
PID:5156
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\YQUGjTcs.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\YQUGjTcs.exe"4⤵
- Modifies WinLogon for persistence
PID:5328
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\KCAEOBcI.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d explorer.exe,"C:\Users\Admin\AppData\Local\Temp\KCAEOBcI.exe"3⤵
- Modifies WinLogon for persistence
PID:712
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418KB
MD553474c750c9187e0490082d8e1c11a6d
SHA1a53490817cd28f7f9d3689c1dff73308e39ea8c0
SHA25622761f5b95ad6b2932fd543292606a4390728e4837a9914c087ee0556b910786
SHA51277ffaf942f932c2ec81a1ca2c0b9f321c28745fd8f0cd1f91f8e0b7bd69fc82099b81cd736514309e8f431b7a6cbecf19ee154844587e3fbd1c097ec969c4f92
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\53474c750c9187e0490082d8e1c11a6d_JaffaCakes118.exe.log
Filesize223B
MD51cc4c5b51e50ec74a6880b50ecbee28b
SHA11ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba
SHA2560556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b
SHA5125d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706
-
Filesize
1KB
MD5af3a7002039992a603e3247f0b88cfbb
SHA19921b837657e7ff8916d1278710524718ecce324
SHA256d6bd4c654b8e4270d5b114bc62ef5970ea73b6836ae134610b97755b0ff45929
SHA512658a36e14d1afba9c9f62fd504c2e4951251866047c38d24c5989fd713ce18903a34d565c4785c4f047d0c53e86503ab489ebde2f998c5bf426a94156eb9b7cf
-
Filesize
1KB
MD546dbf3c930fe0ea6bcf8d6524b5f26ce
SHA15526e6acd14fc8e715aad1b5d6f11230a3805a88
SHA256238f062419085aaeb5d3f4512cecaf4dc75c8267c87f1f7a3077611123d6118f
SHA5123ed7c9372e05945be79a8e2edd7528719165f33b6a8cceda6c8ff57d0a825392da07228b2b63d02d73993c206cd99be55f8837c0a42ef2321b56900a646a33f7
-
Filesize
1KB
MD5557c3294678fa0895f0b3f9ab1935d70
SHA1afe73ba352d55e69af0fd96fc780995c531da036
SHA256456330d7b5d6801e4ff47d847c1081626710ae92653959818c50899c463d1e62
SHA5127d4697f777c38ecea8b08e610468efb0a51dc1f7c90726c6e72b8d27fd68dbe03319f18dd3a8efe07044f4b5c5b939ad16e40b89435ad30bc2ea007b01bef427
-
Filesize
1KB
MD5e13e83abd95afe24003a3338ee47fc00
SHA154e85183ed93906d0f854345239dc532e3f8f384
SHA256be21129f429d9b6f268c50f410c649639021d0c3716e834d2a3d5e9abbb657bb
SHA512e454630c58d587a02bc24aa5567e92651284c2bb9b0ac050e87c2dcae869125e5d7ac31554da122a66d0bfd575431b3a686317950585017bf0d489bd6882f665
-
Filesize
556KB
MD53e72bf3a38c841fcc62daea0b940db14
SHA1bab08c7152dae7c49dbf3edc159505d7ca987a82
SHA256474ed92f52771683da034359baf9de6447486062158aebeac75e78797204b272
SHA512dc9415192ced1ec80c8f7f5c696f821b5f15fac0db79da0278c4f3a613fee4007b8d879ac6524a2aa0532b4d538d60d4a10168178ce8a754801d28d209174ecb
-
Filesize
828KB
MD507a301e1cb0b88b3fc18a33dfe35c9a8
SHA1271b4f8f7973da90f4613f0a88fbf83dcc52046e
SHA2561d492a2fc65d0cfaf65c4aa92759b33abeb6e92703c8be59913daa88f6ecc465
SHA512b4e804d6dbc8924fd055ab64edc292db35ece97d3cb20a066d5e89d09b7d426edba6320488a7a4132fdd0c30e411a80e36d8586c328fb0d7a93bd254cdc52cba
-
Filesize
556KB
MD5169aeedbe59402d4056a017c477bc8aa
SHA1b36189583061cbe9245f2c0404711549a392b7dd
SHA2560f52e0e26e1e7b96b0e3af8189c49f97e70f46ab8935445623eb925a42d3819c
SHA5124fe048b1c52f07f4f4d69ba2a72f9d0cad1a4d756309d494440bbd825bda54b15d9d8b92c6f6169fc314716ae5cfded4c25594c335184bd4aa36d10bfbeff007
-
Filesize
828KB
MD55c01937d3815dd04536ca35ccf0579d1
SHA109d96d2a8d4c1fb3ddcd7a31a6ec11a0ca7fdc91
SHA256b16343a1d9b1f26f49fa1865743191ed33dfe310523d8d813b295fa8da94dff2
SHA512f4416fdafff20526a616c653104ad59e2208f0c2c82c1db760c70ddef4a38f62ccacca8ecb9cf71bf6f93bb82301377804305b13ae58f20d42244d2f8e9a7916
-
Filesize
652B
MD5b2ba7a91f10a3a22757da34b4d027f01
SHA1392d6b95f91e7b8aa94b9dc951139c0a46c6eaae
SHA25627cc48c2b1bc72d1dd79830c457562557535086096d38adf6eaafa285f783a32
SHA512581ba505706444cb95a9a2788fe6504741c782dea21216fb609778146005338e85c7853acb7ca9959780d88e84b6cdfb3fd196df0361b197adeabab4e9406dc2
-
Filesize
652B
MD52d074f2975a70e97d50414050fa023a7
SHA1d3062dd6e2c6fd2709d13bd5fbe5ed42e12f64ef
SHA2562b643e9463832a9ece29a48bed5ac0c1866c051611d1d3c9311e8e8f505e7db8
SHA512bc7b4c2a05c0967bed15ab21a460692d8eb406f352b04e33ffc6b22c30481d49b687614e918805d05779c3100352a2b32e4bc5e463973f577bc08f884777341b
-
Filesize
652B
MD5521df6385ab4fa3bf3be70867f505a58
SHA1cb2b1c689bc2b065da00c108239acfca098a5165
SHA25665619f41bc7325269f315a3a171487ade5321a60429afd2c777e4d3b59bb8acb
SHA5127c3c40992c2d620c988ef4c348972d85dfd6d95ceed6128cda52440e2c297e8fc284b31a013ee6890463403dbce1d6ad5fc963aafd17419fb782ffb9f81aac95
-
Filesize
652B
MD5a5f849cae71d1eb3d440ca182ba4682a
SHA13637bde5e0259f46d19386b47acfa868efb9285c
SHA2567048566a79348f3517e21c4b4a23037020425698420e269c19bb7965b47cd5dd
SHA512eac7ce2bbb1f10ded22b6c6cbfb02c10b764b4494460c207e81bb311505db1805a034cacf46608eb4b4ddc8742dc0d19121c68107188ed8802c57c5b52268d01
-
Filesize
196B
MD59e2c11eeabf3abf3fd429055b999d337
SHA1c3d3e0ba80a73108e55dc498a0f76635c8e39005
SHA256dcd7b28aef4595ebca934c2a2b37370873a3632a8585642a14e340c427d0e0d7
SHA51210a3dab93d5d810a653f3869dc8989c003d465df8a62a9190cf8a7eea87f69180a830379e37d2347e92f067235f0587867563e99d82bf662f462e936b6b92c31
-
Filesize
196B
MD52e44d2bbebc5aaf65c5b4557b2e545e0
SHA1949ecfabea66c09ff07c1bf38fa3d10e4241607d
SHA2564f9445590ed628fe70105ed11689c621f70d4b3de3c1844b7e629a93ddd5a269
SHA5121a6beac860c63db5cc828d1494ae022ba14f36025e9b5b33328a920429b8e3609b013c239e9dbe6391d53e302a6b87d21acaf6c08b5cb5a7e283bde9399d8de2
-
Filesize
407KB
MD53fc0338c5b131613c2d4a8555d9d7775
SHA1c67542ffa9a87ffd8df40025ccc62c2a15dde83a
SHA25674af134a8b7df9e7bb5198a3e3a3e957eb49bf2b565e402929c913573cf8300e
SHA512ef2e8cc5710fb45eefc9a5241d506dac8ceee25ec886efbb262958d64ceaf86e219a6185f20dd13a68fa8c9f3c6c0860fabcea4eb2cfd310a6cac9a051367a56
-
Filesize
271KB
MD5e7311b28ef77fe20a83d1ea042945293
SHA13b8edf149437d35e4ba4241ddd85a7140827fcee
SHA256bfd1b696ef37f194027c9cf109e251fc5ff73de3a09d09ff77aabb4ae77ae534
SHA512d2711d9dd9b4a61c0db6b238477833ad5a8f56698436fb281fdc8af28d7d66d25de96379ed7a633c32854315891ea0c7a870e635b915c26b2c936cb56c442cc1
-
Filesize
196B
MD5c9ad2cd57c4a2143f3026096c585dcdd
SHA1794df6e179f97c264487d3bf2a67b20e743a7a78
SHA2560b8b4cb70472a71fddf27617008b0d396f247467ab62b703663fece0813659c4
SHA5127556e94b89eba3941ffcb2e0006aa9a55147761a5895570e6682d3d350bfc4d013f510545faddde45f47a549c437d5c1fec4ade52dcf68e95507beabcee9b4be
-
Filesize
196B
MD5f95ce9efe926caa6f8e953b38e1efb4b
SHA17b481fb2c9210867d1642bf552eced0aeca7c3e4
SHA25655cc71b142d373f9b65ca7cc8ce9186642b460a54dfc4455f00758bdf095a481
SHA5129fc564136a2d18e8a7e9a987dff9c9fbaa892bb158d7ee755e2515e4d1d58425e47c3ca7e3b42a75c9cba393adb62cf6f2f65cca72ac24d7afa2a22428264ef1