Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 18:26
Static task
static1
Behavioral task
behavioral1
Sample
e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe
-
Size
286KB
-
MD5
e0c6247a10e90d78a4bab1fea77d57b5
-
SHA1
34d4e5d8d54c0eda9b444879c98a5f1cac97431f
-
SHA256
d27671568091892834ec1ee00ed8d520a60110b373bee7647e18504695c9385d
-
SHA512
aad6dd2b8e20c6104e1c17f317f067dc97b5429e2a00c02f1aa66ac8b9112e4f6842e687887fbac48f153e4748ce26db3fec4f37d51ba737ee79cb1a10e609e1
-
SSDEEP
6144:W6jV3dXwqqSAOv3xgM1otCaLzVvEiSUd3/zDkR4:J5AKxd17advk0zDkR4
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 1612 AAB.tmp -
Loads dropped DLL 2 IoCs
pid Process 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1304-2-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1304-7-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2024-11-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1304-10-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/2024-12-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1304-116-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2216-118-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1304-239-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1304-293-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1304-294-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\C98.exe = "C:\\Program Files (x86)\\LP\\26FD\\C98.exe" e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\26FD\C98.exe e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\26FD\C98.exe e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\LP\26FD\AAB.tmp e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AAB.tmp -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1812 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 3044 msiexec.exe Token: SeTakeOwnershipPrivilege 3044 msiexec.exe Token: SeSecurityPrivilege 3044 msiexec.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe Token: SeShutdownPrivilege 1812 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe 1812 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1304 wrote to memory of 2024 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 31 PID 1304 wrote to memory of 2024 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 31 PID 1304 wrote to memory of 2024 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 31 PID 1304 wrote to memory of 2024 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 31 PID 1304 wrote to memory of 2216 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 32 PID 1304 wrote to memory of 2216 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 32 PID 1304 wrote to memory of 2216 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 32 PID 1304 wrote to memory of 2216 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 32 PID 1304 wrote to memory of 1612 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 36 PID 1304 wrote to memory of 1612 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 36 PID 1304 wrote to memory of 1612 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 36 PID 1304 wrote to memory of 1612 1304 e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe"1⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\D3A8D\DC526.exe%C:\Users\Admin\AppData\Roaming\D3A8D2⤵PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe startC:\Program Files (x86)\8D11F\lvvm.exe%C:\Program Files (x86)\8D11F2⤵PID:2216
-
-
C:\Program Files (x86)\LP\26FD\AAB.tmp"C:\Program Files (x86)\LP\26FD\AAB.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1812
Network
-
Remote address:8.8.8.8:53Requestcsc3-2004-crl.verisign.comIN AResponse
-
Remote address:8.8.8.8:53Requestri-ang.batarryreanimayion.comIN AResponse
-
Remote address:8.8.8.8:53Requestnewworldorderreport.comIN AResponsenewworldorderreport.comIN A198.7.57.33
-
Remote address:8.8.8.8:53Requestner.kolabatory.comIN AResponse
-
GEThttp://newworldorderreport.com/img/3422.png?sv=591&tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3De0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exeRemote address:198.7.57.33:80RequestGET /img/3422.png?sv=591&tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3D HTTP/1.0
Connection: close
Host: newworldorderreport.com
Accept: */*
User-Agent: chrome/9.0
ResponseHTTP/1.1 302 Found
x-redirect-by: WordPress
location: https://qltuh.algiedideneb.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=critart109qc73bmqo50
vary: Accept-Encoding
content-length: 0
content-type: text/html; charset=UTF-8
age: 0
server: Apache
connection: close
-
Remote address:8.8.8.8:53Requesth-by9ygp37.batarryreanimayion.comIN AResponse
-
Remote address:8.8.8.8:53Requestczk--1ih.kolabatory.comIN AResponse
-
Remote address:8.8.8.8:53RequestTRANSERSDATAFORME.COMIN AResponse
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.178.4
-
Remote address:142.250.178.4:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
x-hallmonitor-challenge: CgwIqquXtwYQxajgtAISBMJuDUY
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-QeR4ivXXaeAR_zKDYN7paA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Sat, 14 Sep 2024 18:27:54 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7cpdEork2ryt33rgUHQ0AmF6XbNlDn-Q63Oju4Xxn3uhfWsj6Ot2GEE; expires=Thu, 13-Mar-2025 18:27:54 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
Remote address:142.250.178.4:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgsIrquXtwYQ5tTebhIEwm4NRg
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-Pn8EAZO-i-sOkomzWI-nGA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Sat, 14 Sep 2024 18:27:58 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AVYB7colVOus6NTIqACdxsEsXIl6It5NfHGLtJV18xTMI-4YCtzb93x3-g; expires=Thu, 13-Mar-2025 18:27:58 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGK2rl7cGIjCXzNADiZN2MCmRMXx1lD2080Sd3dE5AwFv7QDkMhBVTLKbosx_XQ3K2uT6xqr9xJAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMe0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exeRemote address:142.250.178.4:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgTCbg1GGK2rl7cGIjCXzNADiZN2MCmRMXx1lD2080Sd3dE5AwFv7QDkMhBVTLKbosx_XQ3K2uT6xqr9xJAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3052
X-XSS-Protection: 0
Connection: close
-
198.7.57.33:80http://newworldorderreport.com/img/3422.png?sv=591&tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3Dhttpe0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe398 B 521 B 5 5
HTTP Request
GET http://newworldorderreport.com/img/3422.png?sv=591&tq=gHZutDyMv5rJeTbia9nrmsl6giWz%2BJZbVyA%3DHTTP Response
302 -
446 B 2.8kB 8 7
HTTP Request
GET http://www.google.com/HTTP Response
302 -
359 B 1.5kB 6 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
-
142.250.178.4:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGK2rl7cGIjCXzNADiZN2MCmRMXx1lD2080Sd3dE5AwFv7QDkMhBVTLKbosx_XQ3K2uT6xqr9xJAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttpe0c6247a10e90d78a4bab1fea77d57b5_JaffaCakes118.exe526 B 3.6kB 6 7
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgTCbg1GGK2rl7cGIjCXzNADiZN2MCmRMXx1lD2080Sd3dE5AwFv7QDkMhBVTLKbosx_XQ3K2uT6xqr9xJAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
-
72 B 127 B 1 1
DNS Request
csc3-2004-crl.verisign.com
-
75 B 148 B 1 1
DNS Request
ri-ang.batarryreanimayion.com
-
133 B 222 B 2 2
DNS Request
newworldorderreport.com
DNS Response
198.7.57.33
DNS Request
ner.kolabatory.com
-
79 B 152 B 1 1
DNS Request
h-by9ygp37.batarryreanimayion.com
-
69 B 142 B 1 1
DNS Request
czk--1ih.kolabatory.com
-
67 B 140 B 1 1
DNS Request
TRANSERSDATAFORME.COM
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
142.250.178.4
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
696B
MD512b1524d5543bf26db395773ca57a5a0
SHA1d84034890066778cfe8acda3dde6057315a39d41
SHA256a1c27bd3273ae106728f45bed2a6d6483c67ea0470b10f942d37ff6dee6eb3a7
SHA5121db86c9c46b6a77551bc97711e83079b842e22f5463dd0da0991eccba0d40e7baa9ad7cdf699a7595978985480cbddcf05b4117a347a295c3fef2fc1ab4c6387
-
Filesize
300B
MD5da1d87b8cef010df2fd19c6495d7fa1f
SHA16dbd41aee2aaa3af9cd0485b47f57bc7cc0463af
SHA256cd06cb380e29ad87f806d2a1dc22bb09b9994f6a467af7bfa5ff83b693c18802
SHA512c89b08210b9c234e6f3922b23c1dd182e6fe969bafc2df878e5558f186f50f65f457ec86d9b9d34fa6beff832f4f9c73aa036c4fd2a56ab983d342e32f4500a9
-
Filesize
1KB
MD589e175a43758d4ceeed96fdcc1a52c6c
SHA147a1e8d5afe53f5342b1b1f7bcda405462094bc3
SHA256aefaee070e91289c0e19ca6cf34d881a39a260e5948ec1833ad53a12c3878513
SHA512a029c2e335179aae6979f97165be0304baf8f78d65da54e35c0d98a8d2525728483782babd394cb0e2884c35c139eba9ea04f13ceb892b6fa5facbf956988978
-
Filesize
1KB
MD575ea1658a1927b258e1801e49318261c
SHA172768beba35d59d42abb75af81abc035c72fd613
SHA256ca579697b7257e0ec6b7deb690e67345d592ee4bba2904589f3821939e62f8e1
SHA512d71a34fd0ecb9a5ecafb3546d4c3074fffeb6903337d1c896b8ff291603aff4e2380ac1a136f148ef38452b810cb963cd26f1d03119dc4bca3bd539d5e95784f
-
Filesize
101KB
MD59830a063d6a451099715cfd584204e5a
SHA1175d36b11f755dd1a10b317f473c4c0de261b9ca
SHA2562f55100d9b31d4e69495fad29d831e7f1310f53089081da251ff52bf8b83ab28
SHA512c4aadec9e09277a4819e70eedeb9fb80ef4e6e982c3abca0479ba96f54c5748970a7c431de21996cee66dda86835db998fe22c822b1e9ff81d3a9256cd1f4f17