Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 19:19
Static task
static1
Behavioral task
behavioral1
Sample
debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
debe64957d3c8bb73b2f8f6d0809ce2c
-
SHA1
f95c34e95d29dbd66c1cf8a1b6d55d7a96aa104e
-
SHA256
2558eccb07cf148d31f2dabfb740f551e9107fac6287338b075f30e4530f4337
-
SHA512
be2cdc15b15335d92edd7f85881602b744c694a047b33e70b2e739f281c4c3092fb1ae5ea053612dc5bd7975c6f5d922b6842d7b1128fcfe90e4b7d89f4b7a38
-
SSDEEP
12288:YcZxYULthiYyS6MgHajxUM8GmXoxPl54pQ1QTvHz6yYEcUl6oKhG+xS6Y9Dg1DFW:7ZthioTxmTfzlovxHSU2othioTxE
Malware Config
Extracted
cybergate
v1.07.5
HoN
lugntoklingar.no-ip.biz:1992
lugntoklingar.no-ip.biz:3128
lugntoklingar.no-ip.biz:6721
lugntoklingar.no-ip.biz:6722
lugntoklingar.no-ip.biz:27015
lugntoklingar.no-ip.biz:2000
JKQRE8IUL10FA6
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W712L4M4-X302-M767-PN53-SFKXCFBF6BWJ}\StubPath = "C:\\Windows\\system32\\WinDir\\svchost.exe Restart" vbc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W712L4M4-X302-M767-PN53-SFKXCFBF6BWJ} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{W712L4M4-X302-M767-PN53-SFKXCFBF6BWJ}\StubPath = "C:\\Windows\\system32\\WinDir\\svchost.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{W712L4M4-X302-M767-PN53-SFKXCFBF6BWJ} vbc.exe -
Executes dropped EXE 1 IoCs
pid Process 3620 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1680-27-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/1680-28-0x0000000010410000-0x0000000010475000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Configuration = "C:\\Users\\Admin\\AppData\\Local\\Temp\\msconfig.exe" debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\svchost.exe" vbc.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe File opened for modification C:\autorun.inf debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe File created F:\autorun.inf debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe File opened for modification F:\autorun.inf debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinDir\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\ vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3476 set thread context of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 set thread context of 1820 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1416 vbc.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe Token: SeRestorePrivilege 180 dw20.exe Token: SeBackupPrivilege 180 dw20.exe Token: SeBackupPrivilege 180 dw20.exe Token: SeBackupPrivilege 180 dw20.exe Token: SeBackupPrivilege 4568 explorer.exe Token: SeRestorePrivilege 4568 explorer.exe Token: SeBackupPrivilege 1416 vbc.exe Token: SeRestorePrivilege 1416 vbc.exe Token: SeDebugPrivilege 1416 vbc.exe Token: SeDebugPrivilege 1416 vbc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1680 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1680 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 86 PID 3476 wrote to memory of 1820 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 87 PID 3476 wrote to memory of 1820 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 87 PID 3476 wrote to memory of 1820 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 87 PID 3476 wrote to memory of 1820 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 87 PID 3476 wrote to memory of 1820 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 87 PID 3476 wrote to memory of 1820 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 87 PID 3476 wrote to memory of 1820 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 87 PID 3476 wrote to memory of 1820 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 87 PID 3476 wrote to memory of 1820 3476 debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe 87 PID 1820 wrote to memory of 180 1820 vbc.exe 88 PID 1820 wrote to memory of 180 1820 vbc.exe 88 PID 1820 wrote to memory of 180 1820 vbc.exe 88 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55 PID 1680 wrote to memory of 3380 1680 vbc.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\debe64957d3c8bb73b2f8f6d0809ce2c_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:4528
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Windows\SysWOW64\WinDir\svchost.exe"C:\Windows\system32\WinDir\svchost.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3620
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7884⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:180
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD5078299dbea776d2ca864995ae2060622
SHA1c71d847e1036609aa71eeb92d2f22d30a8e7922d
SHA256c8eb01cd825f4c8647e32b143f0df8f5221cfd89bc750f56f540e6d517e36985
SHA512d778a72961932768379490919643bf7e78f71ab120b6c357dceb1fb2f5577eceddb5b22be82c0c1b8f51fe31f2d5708eb87b5a65dca921109ae71ce8eec115aa
-
Filesize
8B
MD54b626507bd31c6e9363e80268bdcac10
SHA1653647ecad4f8019f8b9f815ad73a08e2c1ba251
SHA25645e572d4be783d17be953b7a40e353bd0ac383d6613a1b528b61f591f3d1dd30
SHA5120df10d9e72163628790112732ea78ff0eb26b33d2ba707db80ca0278a31f4393525814fa617c90aae903f2bfa6e9e09f09aec86eea1ec84bdce6b0217241947c
-
Filesize
8B
MD52d3601b803c81ccd0886778a1ce77b3d
SHA18d96c577648275623110a1a47c5223f8bd668f07
SHA25625ec91d6099d3ef874fc06d319798ba7fac3b6e8aa0c21893ce0725033c1a1b8
SHA512dfab514d87ef2c4423591678430f8de34f665dea4c039261ff9a6276de79a8d1d1ebde58da57cf8a93e67aee09eb276b93f648918944f28015ca4a83283b6887
-
Filesize
8B
MD5f3bc3949e4552224881615e65f83f694
SHA13ad6f394a0d25b1b8970bbb9430b9a2f41c8d4ea
SHA256aa504c04c1b1a54b2d80cc41f8d79a36a780c816adff7431ca1b1552d9ba15c2
SHA5124dc1c732f049e2bac69fd94acdd35a09ec8824c3f4d7d2a0dd5afce10b18d2eb93a1cbcf6a994994930eb7636a28c6e224e6b45ce6bf47aefe16f36d28a4cbb6
-
Filesize
8B
MD5b21e5031fa5c2b2df44ce95f046cff4a
SHA1e425422e49887fdce5038ebc575c283e1245e2d4
SHA256a33b717baca24f19f9519cc2e48955063cd427e823e0abbab4a30e5dbbe2333a
SHA512bc344cd8091d4ebd2a344524e4f22d29afcfaeca8421c33a247ed4c0a8f3a41ce66a5a76d3c59dbd3eeb6ee947df73e2e64ff50a35767e2e6a71e8f2f842e9eb
-
Filesize
8B
MD5980bbd541aad541e5580cab9c32cf999
SHA17fa9d5b84685e5a8fd03573df6c73840607b184a
SHA256d06c5f1bd135c5d251cf2282764a9c21e822299848720c0198b0f363fafa7749
SHA512ec432f968ef2309b2ef609761b4c98ec26caeddde97501d12916878807d67f03d44648eefde5dcfb7a7d7cb79e1aabbffa5987c1f55fe3536d2f252fbafbddb5
-
Filesize
8B
MD5d48c31ac0ee5baba02809cc323289634
SHA1b2c348e797949aa7048a3d3933701f3c4e645312
SHA2560686ce5a5b625bc95b6ba5e38abebe0f39df6fe4916c3720926df36c0eb4b427
SHA512d4902f237cba1ae498f71b7369ef92c4b284550156689c7f63112624dce71cbd143111992ed32f02792c2c37206f4d9c5c20d0384b22fe1b798514b8159442c2
-
Filesize
8B
MD567a846a5a3ab8b3fca3b562d14b412ec
SHA11078c57cb3f1873e73df7517aa9c9e91ec3c028d
SHA25669f9b0cb12e145c6e192827f9ab70c7e8c2553b91c7a6b490df1e2211681c170
SHA5127abea24928c62175639b7a6bc449536a142b9873db34c2f43ad59ab1f0fe635190d96341b6e3ca7883878ae334ff677b642a228916c2b3344bb8c1eedbd00c53
-
Filesize
8B
MD5e7035ee9bee2faf7b543dd56dbfb1b16
SHA115937a43a6dc2035e9e6c48cfe8f34c2117c6ce9
SHA256d381af31e15f06d27281a23c82c7379d11bf86c29f84fe4f7ad1cb5e1f3cb23a
SHA5123b14e0aaa4052a4c17fbb2bb153d6c2f892f237c83858645beb0d8482f119868b64ce30fec8cc6fc7c8a7e7829d76ff5a7d6a74473e98a239e71e661786e73ae
-
Filesize
8B
MD54c38d876f0a6df044dcb8092bb0c3721
SHA109b01f1bd0bd8b7b86b3335ebcef41bddea24ebe
SHA25606ea9c244b6ec830d00450e2865488cd9f8a720b99fba3b6c6969c5bfea2db24
SHA5124148042051028b8989a2585ebe2f7a6d04a9c942da184e78bc31521d10ca8df1343b2767521a0472fa08e9cb35c2747b2b84912b8973195188e5237b94852cda
-
Filesize
8B
MD59fd3cdaa153ffacf70cd8ff87afce0e0
SHA126a730764303099db1402aea59ac4c03310fd67f
SHA2566f953448a6494ac2d6fb1f7702e503d7a8a5f8ea0998b9d5a4615ee6663bd263
SHA5120b8bf35566e2157d0d784f97ef8a1274de63e5977b750009fe48d76e45bcaff5f415f0f230a986eeb96482428e7334e61ab6bd52f9c98e5ed0e79ea44cdecdc6
-
Filesize
8B
MD5dde21056aff8b1ca2fea027c33e4e96d
SHA186d3e579405795c70b18f2af84335e582910e59b
SHA2561267e7eaf86f94b034afb393824dc4900c9edb11d4dd8fc0f978351baf2d5651
SHA512c9c45d65789805585aa9a2e6f7cdc5cff7e8f56c56a534b2a0ded38c193456d10b72b664736fdef8ae75e5fadac5f16d60e5939c59d05ed0ea55132ed47966e5
-
Filesize
8B
MD5fa988f453a32210b58b6460b1996c736
SHA1c222e34310356befd32e8184e8590479c5258fe5
SHA2564a1dfc2dd66d1eea3d5a2ac5ed929b9f15b582f45e2edbfffe8cfb6478938766
SHA51243ffa6d6fbf5bd292b6a9d3851ae22c5fb0577ffbd2d0561e260649e1ff0a4741aff8e7e8d2e66939a6b144edd088efd6d2358e577c22ff75c0e2add8fe4fbc2
-
Filesize
8B
MD57b7c0fa0dfaddafdfcd5d521ccfba734
SHA18b8c3d110e46ab73e64a2bf49d21f6aad35216a9
SHA2566781feb3701c8c153b8e65842f5a878ca66994c686f551abb0c01a23fb49fb1d
SHA512e4c68fdb898e5d031baa69825b64c104f416990212feb7c9c5ad975c483885acdf33702d35ee1aff5beb64986effb8b758d2b54466244e6e18cabb4ab90d46ec
-
Filesize
8B
MD584fdaa94fccd537a2b2507c3cba422ae
SHA1c1200764ea1dd1575b8c6a7491b0d8d1c992cb49
SHA25671d82635cf784287eb7b29da13896fc704ecd21e39ac0266ba1a9ee50cafacc0
SHA512eb36610b81a51815f1b03edc76a77525b5bdb7b077428253c87502570a4e523f63f1127583bd6f9ccf027188c0fcafd375c3ef2f21c35dc36622396dd2e103a1
-
Filesize
8B
MD572dd7946a65549c9d3625b0d13b2d17d
SHA15d3ce4f771fa762af4bd41c27167d89ad30850c6
SHA256e32ce661d61aac9b984cf314906ffd75be5a921834119284b62c99f2c522a9e1
SHA512e6de4d761ae43898cb14fe382e904b6009c2f65f4cfa7a2508e6f2134a0e0bee93562de77ace62352d872030b7e504c0a143ba5807a76a2853f4d5c48f6a4a68
-
Filesize
8B
MD541937ff958943f0faa126cba9d4dde78
SHA1db815f9d6b25788bf329fa2b85a28c030e9111b9
SHA25674ec9126cf862ac0924d44523d2747f4905eb9f5b50da4d0792088d9bdd1bd65
SHA512847e68296e26dab7c5586189bf11b2714d8025ad76ea2fd2ecef99cc602860798498dd769b4ae013826b949f43b90d3c68487d18adf8b0cbed74494753f12ee2
-
Filesize
8B
MD54897e307c0acd5470108b5b33156eaed
SHA1a6310dc43c9d644ed09394be3e72807f46cf00bc
SHA256fe7f18441f265e7902d10ffcad2d4fa1088fa665419aa4257e536bed7f08b7d8
SHA5129e368badca69cb315cb0a10af96030a2eed717923a2802a77580a15d44afb406a1a2905a424df43c21b1eaa27420d93c12afdb2ea058bb072f7b191ed1e842a1
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34