Analysis
-
max time kernel
94s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 18:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe
-
Size
467KB
-
MD5
a91672ac89d1826a72f3f71e57f5b13d
-
SHA1
25c842879a8658dd70658b7ffd5669b98cc61f0d
-
SHA256
d8ba821aa37d8c83ee00f809de729197eb340e17348274eec26469a3be34f894
-
SHA512
dfa07f9ea006ac36cb4ab36a6d4e10249d0452fbec7a677b66b23c1d91ef4e803cc019446d7309f49db844675e978a74f9cb28fe5e2289c77dd37681e2b8e13d
-
SSDEEP
12288:tpW7YfiziEBcpY08g0CSbEcZt7fsmrwN0DCHh:PfGigo8gXMwNwCB
Malware Config
Extracted
Family
darkcomet
Botnet
New_server_Crypter
C2
leetaka1337.no-ip.org:1604
Mutex
DC_MUTEX-K01XBXU
Attributes
-
InstallPath
MSDCSC\winhost.exe
-
gencode
cattbKvVMm69
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe" a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe,C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe" winhost.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation winhost.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation winhost.exe -
Executes dropped EXE 8 IoCs
pid Process 2332 STUB.EXE 3096 winhost.exe 1816 winhost.exe 1692 STUB.EXE 3524 winhost.exe 3908 winhost.exe 676 STUB.EXE 440 winhost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\cattbKvVMm69\\winhost.exe" winhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\winhost.exe" a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\cattbKvVMm69\\winhost.exe" winhost.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSDCSC\winhost.exe a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\winhost.exe a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe File created C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe winhost.exe File created C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe winhost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe winhost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\ winhost.exe File created C:\Windows\SysWOW64\MSDCSC\winhost.exe winhost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe winhost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\ winhost.exe File created C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe winhost.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5012 set thread context of 4532 5012 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 83 PID 3096 set thread context of 1816 3096 winhost.exe 88 PID 3524 set thread context of 3908 3524 winhost.exe 97 -
resource yara_rule behavioral2/memory/4532-4-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4532-3-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4532-6-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4532-8-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/4532-7-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/1816-64-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/1816-65-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/1816-66-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/3908-118-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/3908-117-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/3908-116-0x0000000000400000-0x00000000004C4000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language STUB.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language STUB.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language STUB.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winhost.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5012 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeSecurityPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeSystemtimePrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeBackupPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeRestorePrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeShutdownPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeDebugPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeUndockPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeManageVolumePrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeImpersonatePrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: 33 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: 34 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: 35 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: 36 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe Token: SeDebugPrivilege 3096 winhost.exe Token: SeIncreaseQuotaPrivilege 1816 winhost.exe Token: SeSecurityPrivilege 1816 winhost.exe Token: SeTakeOwnershipPrivilege 1816 winhost.exe Token: SeLoadDriverPrivilege 1816 winhost.exe Token: SeSystemProfilePrivilege 1816 winhost.exe Token: SeSystemtimePrivilege 1816 winhost.exe Token: SeProfSingleProcessPrivilege 1816 winhost.exe Token: SeIncBasePriorityPrivilege 1816 winhost.exe Token: SeCreatePagefilePrivilege 1816 winhost.exe Token: SeBackupPrivilege 1816 winhost.exe Token: SeRestorePrivilege 1816 winhost.exe Token: SeShutdownPrivilege 1816 winhost.exe Token: SeDebugPrivilege 1816 winhost.exe Token: SeSystemEnvironmentPrivilege 1816 winhost.exe Token: SeChangeNotifyPrivilege 1816 winhost.exe Token: SeRemoteShutdownPrivilege 1816 winhost.exe Token: SeUndockPrivilege 1816 winhost.exe Token: SeManageVolumePrivilege 1816 winhost.exe Token: SeImpersonatePrivilege 1816 winhost.exe Token: SeCreateGlobalPrivilege 1816 winhost.exe Token: 33 1816 winhost.exe Token: 34 1816 winhost.exe Token: 35 1816 winhost.exe Token: 36 1816 winhost.exe Token: SeDebugPrivilege 3524 winhost.exe Token: SeIncreaseQuotaPrivilege 3908 winhost.exe Token: SeSecurityPrivilege 3908 winhost.exe Token: SeTakeOwnershipPrivilege 3908 winhost.exe Token: SeLoadDriverPrivilege 3908 winhost.exe Token: SeSystemProfilePrivilege 3908 winhost.exe Token: SeSystemtimePrivilege 3908 winhost.exe Token: SeProfSingleProcessPrivilege 3908 winhost.exe Token: SeIncBasePriorityPrivilege 3908 winhost.exe Token: SeCreatePagefilePrivilege 3908 winhost.exe Token: SeBackupPrivilege 3908 winhost.exe Token: SeRestorePrivilege 3908 winhost.exe Token: SeShutdownPrivilege 3908 winhost.exe Token: SeDebugPrivilege 3908 winhost.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 5012 wrote to memory of 4532 5012 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 83 PID 5012 wrote to memory of 4532 5012 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 83 PID 5012 wrote to memory of 4532 5012 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 83 PID 5012 wrote to memory of 4532 5012 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 83 PID 5012 wrote to memory of 4532 5012 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 83 PID 5012 wrote to memory of 4532 5012 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 83 PID 5012 wrote to memory of 4532 5012 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 83 PID 5012 wrote to memory of 4532 5012 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 83 PID 4532 wrote to memory of 2332 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 84 PID 4532 wrote to memory of 2332 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 84 PID 4532 wrote to memory of 2332 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 84 PID 4532 wrote to memory of 3096 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 86 PID 4532 wrote to memory of 3096 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 86 PID 4532 wrote to memory of 3096 4532 a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe 86 PID 3096 wrote to memory of 1816 3096 winhost.exe 88 PID 3096 wrote to memory of 1816 3096 winhost.exe 88 PID 3096 wrote to memory of 1816 3096 winhost.exe 88 PID 3096 wrote to memory of 1816 3096 winhost.exe 88 PID 3096 wrote to memory of 1816 3096 winhost.exe 88 PID 3096 wrote to memory of 1816 3096 winhost.exe 88 PID 3096 wrote to memory of 1816 3096 winhost.exe 88 PID 3096 wrote to memory of 1816 3096 winhost.exe 88 PID 1816 wrote to memory of 1692 1816 winhost.exe 95 PID 1816 wrote to memory of 1692 1816 winhost.exe 95 PID 1816 wrote to memory of 1692 1816 winhost.exe 95 PID 1816 wrote to memory of 3524 1816 winhost.exe 96 PID 1816 wrote to memory of 3524 1816 winhost.exe 96 PID 1816 wrote to memory of 3524 1816 winhost.exe 96 PID 3524 wrote to memory of 3908 3524 winhost.exe 97 PID 3524 wrote to memory of 3908 3524 winhost.exe 97 PID 3524 wrote to memory of 3908 3524 winhost.exe 97 PID 3524 wrote to memory of 3908 3524 winhost.exe 97 PID 3524 wrote to memory of 3908 3524 winhost.exe 97 PID 3524 wrote to memory of 3908 3524 winhost.exe 97 PID 3524 wrote to memory of 3908 3524 winhost.exe 97 PID 3524 wrote to memory of 3908 3524 winhost.exe 97 PID 3908 wrote to memory of 676 3908 winhost.exe 98 PID 3908 wrote to memory of 676 3908 winhost.exe 98 PID 3908 wrote to memory of 676 3908 winhost.exe 98 PID 3908 wrote to memory of 440 3908 winhost.exe 101 PID 3908 wrote to memory of 440 3908 winhost.exe 101 PID 3908 wrote to memory of 440 3908 winhost.exe 101 PID 440 wrote to memory of 720 440 winhost.exe 102 PID 440 wrote to memory of 720 440 winhost.exe 102 PID 440 wrote to memory of 720 440 winhost.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\a91672ac89d1826a72f3f71e57f5b13d_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\STUB.EXE"C:\Users\Admin\AppData\Local\Temp\STUB.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Windows\SysWOW64\MSDCSC\winhost.exe"C:\Windows\system32\MSDCSC\winhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\MSDCSC\winhost.exeC:\Windows\SysWOW64\MSDCSC\winhost.exe4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\STUB.EXE"C:\Users\Admin\AppData\Local\Temp\STUB.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692
-
-
C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe"C:\Windows\system32\MSDCSC\cattbKvVMm69\winhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exeC:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\winhost.exe6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Users\Admin\AppData\Local\Temp\STUB.EXE"C:\Users\Admin\AppData\Local\Temp\STUB.EXE"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:676
-
-
C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"C:\Windows\system32\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe"7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exeC:\Windows\SysWOW64\MSDCSC\cattbKvVMm69\cattbKvVMm69\winhost.exe8⤵PID:720
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128B
MD5a5dcc7c9c08af7dddd82be5b036a4416
SHA14f998ca1526d199e355ffb435bae111a2779b994
SHA256e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA51256035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a
-
Filesize
224B
MD5c19eb8c8e7a40e6b987f9d2ee952996e
SHA16fc3049855bc9100643e162511673c6df0f28bfb
SHA256677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a
SHA512860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596
-
Filesize
47KB
MD56e9ee67b3cceaf1fc3bd53a9c33a3cc7
SHA11ce7d9f73b9da92385ec41e416d2cf7a6f2ccc03
SHA256e9509d87ec53efda131c636fe729180eea8c48850693f0c800fc04f88f5960bb
SHA5126ee77b3d3238e1507ab83f57fa06b88b384b5d8a804a27d93aab30622166b1bedd4796ec30c8dfca3b9085d41c69fd064014e0a424a79e9e8f15b79c6568fb1c
-
Filesize
467KB
MD5a91672ac89d1826a72f3f71e57f5b13d
SHA125c842879a8658dd70658b7ffd5669b98cc61f0d
SHA256d8ba821aa37d8c83ee00f809de729197eb340e17348274eec26469a3be34f894
SHA512dfa07f9ea006ac36cb4ab36a6d4e10249d0452fbec7a677b66b23c1d91ef4e803cc019446d7309f49db844675e978a74f9cb28fe5e2289c77dd37681e2b8e13d