Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 09:36
Behavioral task
behavioral1
Sample
9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
9dd6a382a4b8e3295ed977f1cc176c0a
-
SHA1
cd990deea4530f113c617b9cda0eeea7ada9170e
-
SHA256
7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964
-
SHA512
a9181c76e87101bedff793689df0d60d89e49469b0b6f768961f0185bbda82d78837db236a2a8bf9585252ee467d2081ce02769662b57d6b3386836550d5e7dc
-
SSDEEP
24576:zRgV9lX4ePztJzKe4QTnExJrP6+RtCFKOqRuGmjpMg8R5w+cTll8add1Lj6vull+:zR6bbJR7OyKiKO0VaqgY5w+eTZ3Ejmr6
Malware Config
Extracted
wshrat
http://blackhillls.ddns.net:1334
Signatures
-
Matiex Main payload 6 IoCs
resource yara_rule behavioral2/memory/320-4-0x0000000000400000-0x00000000005F1000-memory.dmp family_matiex behavioral2/files/0x000700000002347f-9.dat family_matiex behavioral2/files/0x000700000002348b-24.dat family_matiex behavioral2/memory/1456-36-0x0000000000400000-0x00000000005F1000-memory.dmp family_matiex behavioral2/memory/3224-53-0x0000000000A20000-0x0000000000A92000-memory.dmp family_matiex behavioral2/memory/1644-96-0x0000000000400000-0x00000000005F1000-memory.dmp family_matiex -
PredatorStealer
Predator is a modular stealer written in C#.
-
WSHRAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002347f-9.dat family_wshrat behavioral2/files/0x000700000002348a-28.dat family_wshrat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 7 IoCs
flow pid Process 28 1560 wscript.exe 31 1560 wscript.exe 57 1560 wscript.exe 65 1560 wscript.exe 69 1560 wscript.exe 82 1560 wscript.exe 83 1560 wscript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation scvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation scvhost.exe -
Deletes itself 1 IoCs
pid Process 2692 notepad.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.vbs notepad.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js wscript.exe -
Executes dropped EXE 5 IoCs
pid Process 1456 scvhost.exe 3224 BsA2woE9zZbLwSC.exe 640 scvhost.exe 1644 scvhost.exe 228 bin.exe -
Loads dropped DLL 2 IoCs
pid Process 228 bin.exe 228 bin.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/640-34-0x0000000000400000-0x0000000000760000-memory.dmp upx behavioral2/memory/640-42-0x0000000000400000-0x0000000000760000-memory.dmp upx behavioral2/memory/640-38-0x0000000000400000-0x0000000000760000-memory.dmp upx behavioral2/memory/640-39-0x0000000000400000-0x0000000000760000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scvhost.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scvhost.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 scvhost.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BsA2woE9zZbLwSC.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BsA2woE9zZbLwSC.exe Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BsA2woE9zZbLwSC.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\"" wscript.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 freegeoip.app 25 checkip.dyndns.org 27 ip-api.com 34 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1456 set thread context of 640 1456 scvhost.exe 98 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4824 3224 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BsA2woE9zZbLwSC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scvhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings scvhost.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe:ZoneIdentifier notepad.exe -
Script User-Agent 6 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 83 WSHRAT|7A047C37|PVMNUDVD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/8/2024|JavaScript-v3.3|GB:United Kingdom HTTP User-Agent header 31 WSHRAT|7A047C37|PVMNUDVD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/8/2024|JavaScript-v3.3|GB:United Kingdom HTTP User-Agent header 57 WSHRAT|7A047C37|PVMNUDVD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/8/2024|JavaScript-v3.3|GB:United Kingdom HTTP User-Agent header 65 WSHRAT|7A047C37|PVMNUDVD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/8/2024|JavaScript-v3.3|GB:United Kingdom HTTP User-Agent header 69 WSHRAT|7A047C37|PVMNUDVD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/8/2024|JavaScript-v3.3|GB:United Kingdom HTTP User-Agent header 82 WSHRAT|7A047C37|PVMNUDVD|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 16/8/2024|JavaScript-v3.3|GB:United Kingdom -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 320 9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe 320 9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe 1456 scvhost.exe 1456 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe 1644 scvhost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1456 scvhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3224 BsA2woE9zZbLwSC.exe Token: SeDebugPrivilege 640 scvhost.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 320 wrote to memory of 2692 320 9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe 91 PID 320 wrote to memory of 2692 320 9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe 91 PID 320 wrote to memory of 2692 320 9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe 91 PID 320 wrote to memory of 2692 320 9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe 91 PID 320 wrote to memory of 2692 320 9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe 91 PID 2692 wrote to memory of 1456 2692 notepad.exe 93 PID 2692 wrote to memory of 1456 2692 notepad.exe 93 PID 2692 wrote to memory of 1456 2692 notepad.exe 93 PID 1456 wrote to memory of 4532 1456 scvhost.exe 96 PID 1456 wrote to memory of 4532 1456 scvhost.exe 96 PID 1456 wrote to memory of 4532 1456 scvhost.exe 96 PID 1456 wrote to memory of 3224 1456 scvhost.exe 97 PID 1456 wrote to memory of 3224 1456 scvhost.exe 97 PID 1456 wrote to memory of 3224 1456 scvhost.exe 97 PID 1456 wrote to memory of 640 1456 scvhost.exe 98 PID 1456 wrote to memory of 640 1456 scvhost.exe 98 PID 1456 wrote to memory of 640 1456 scvhost.exe 98 PID 1456 wrote to memory of 1644 1456 scvhost.exe 99 PID 1456 wrote to memory of 1644 1456 scvhost.exe 99 PID 1456 wrote to memory of 1644 1456 scvhost.exe 99 PID 4532 wrote to memory of 1560 4532 WScript.exe 100 PID 4532 wrote to memory of 1560 4532 WScript.exe 100 PID 4532 wrote to memory of 1560 4532 WScript.exe 100 PID 640 wrote to memory of 1820 640 scvhost.exe 104 PID 640 wrote to memory of 1820 640 scvhost.exe 104 PID 640 wrote to memory of 1820 640 scvhost.exe 104 PID 1820 wrote to memory of 228 1820 cmd.exe 106 PID 1820 wrote to memory of 228 1820 cmd.exe 106 PID 1820 wrote to memory of 228 1820 cmd.exe 106 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BsA2woE9zZbLwSC.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BsA2woE9zZbLwSC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Deletes itself
- Drops startup file
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe"C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js"4⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js"5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1560
-
-
-
C:\Users\Admin\AppData\Local\Temp\BsA2woE9zZbLwSC.exe"C:\Users\Admin\AppData\Local\Temp\BsA2woE9zZbLwSC.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 20125⤵
- Program crash
PID:4824
-
-
-
C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe"C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bin.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\bin.exebin.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:228
-
-
-
-
C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe"C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe" 2 640 2406392814⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1644
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3224 -ip 32241⤵PID:1384
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
432KB
MD5db1c4abd9f89e2accb740f7c01cb1504
SHA13a290627dc9ceec7f013c48a4032d69573cc4dbd
SHA256877586c1dbff58fb4c4b9e0543c8e76bad590557b132d8f36b24733558ea02a9
SHA512474746e5584aa500a7ffbaef4e940c7631c38b4b74557a4b38a8e3a0434a427b3ffb1b7ab3f46a7d226bd3f789df62ee74fbc0f230e19cd246ca8cb6a27a16f7
-
Filesize
647KB
MD55afda7c7d4f7085e744c2e7599279db3
SHA13a833eb7c6be203f16799d7b7ccd8b8c9d439261
SHA256f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
SHA5127cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944
-
Filesize
184KB
MD54e47fc3b25104418b7f7a5523e51639a
SHA1de60259e11ec477b9083d641ffdbc88230a0927b
SHA256f0e2f3ca73d64210c1d6a7ca07a2a145f3e94b0d41f99cd45f9fe008d288f345
SHA512a76d6098d2df124d4cb0f773410f186cd579d288d5cd30c6dcf90f24aca01b2d4777274abb1278287a9accada490bb1187209f8c53207c3baf8c26f606fc7225
-
Filesize
23KB
MD5345da28112fc97cbad74e45c510fd783
SHA1dc88113783ed200262428c3000c35fdd093c5b64
SHA256b6e61d4a8e0fe205cd03d4fa1d9ffc4ce8c77b9a3efecdb6f9523dccf6bd9864
SHA512e9b294b03ffd005ce6d8380be285baf762d0f135676c1fd4737f43c34e39ad3da77e7c3a07a7197475c1d17b09628b03e9e9c1808698dd89852ad60b9febfa2d
-
Filesize
13B
MD561f8a15f0bf3ef90a36796b6cbb7b105
SHA19a0893ee4bfb0e58c64902fc4da215dcbec12e3f
SHA256678150f8aa675320e486b135418a7ed5b546514a5aa808588eccc12fe8cd2130
SHA5125afb5a40e95b289db50db7aa151a5a526ef04824533fccd0ad3d6ea813cc5621b8009521d7f5db69fbcb1a46640e963427fd6b42721df26f1fbfc89f59a8abab
-
Filesize
11B
MD5c62837b28d4938edd0ed433c62d0fbff
SHA1e9ea5b724941b7c1d2ac740b896f97ad804e58d3
SHA256041a0aa02efee5c154ee06e5bb07fcde75d5a2a0277e390a170cf9e719d93ffe
SHA51212c5692a05b1b8b4fe6e2f4a7347886cfcc51b62aec46dbeaaa3c0c8949576e7693ccb60611a9915c9f2a7376003fc71210ea580fb0976783c3bf268ac132793
-
Filesize
13B
MD57294c881f5e23198c7000056e50ef7e7
SHA165f942dda2ae75aad6444e7a9ccc7352b5c88e23
SHA2562be7f0deacefc2c099e3309e42989fac20dc32af7e722d0bdeb3bc72f44698f4
SHA512ca66605f5b605bdc060ae870fd4d48b20651e0fa8ae126de3e511ada760d1e32fe1709ae536fa46b166d89f1d36501130f9a86c845c2a2776bbdb8f577e7ddb3
-
Filesize
1.9MB
MD59dd6a382a4b8e3295ed977f1cc176c0a
SHA1cd990deea4530f113c617b9cda0eeea7ada9170e
SHA2567910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964
SHA512a9181c76e87101bedff793689df0d60d89e49469b0b6f768961f0185bbda82d78837db236a2a8bf9585252ee467d2081ce02769662b57d6b3386836550d5e7dc