Analysis
-
max time kernel
144s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 07:22
General
-
Target
JaffaCakes118_1941b357d89fd7fbe6bdf975f25208c79c449de5f273a7b4ee9c9026ce4fe99b.exe
-
Size
1.3MB
-
MD5
ed2d9ea27366bb2e7dde45eb585f6ef4
-
SHA1
dc1a8dc204be3a150dd8520875ea8c6d99431780
-
SHA256
1941b357d89fd7fbe6bdf975f25208c79c449de5f273a7b4ee9c9026ce4fe99b
-
SHA512
6c4baaa9ea642859706c7e62a4ed849287bd5802bc2f0c71272e7126c706fa9aa997db2e880309da68fbc1e6fecdd7d4930fc20f2756a9bca95ad65274e42f3b
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 9 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 13 IoCs
-
Loads dropped DLL 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1941b357d89fd7fbe6bdf975f25208c79c449de5f273a7b4ee9c9026ce4fe99b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1941b357d89fd7fbe6bdf975f25208c79c449de5f273a7b4ee9c9026ce4fe99b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\conhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\de-DE\spoolsv.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\csrss.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\winlogon.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RhYkRZa0Kx.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"11⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"13⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"15⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"17⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"26⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\da4noHdFs8.bat"27⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵
-
-
C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe"28⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\de-DE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5d9875cc0561060125e067268ef5d7ac6
SHA16ad34209c0a248a8530d01501ae03add4c52c078
SHA256bc1d5fa0b11a5694868c3048415b7d839f8b9081a0fe391642a28ddea80e297d
SHA512a9b0c59e5dec258f6adb9eb6f66bcb3c5272650d59370a756a681426fc2cd225bf63c7fbde0e622e5fe6f1af42b59738dff6ac7b07e1c339d71044061463da54
-
Filesize
342B
MD52443f60a913e6078df683d2e982fc087
SHA120d13d37dc1ff35d00b867d2acc74cf217d979f3
SHA25619b2bbecf0b8334453de47a1ce65a669108324bd628dfebcde4fdc596f4d0223
SHA5126bf51ce4900b94820cc3ce67d96cc325c9a513fb2b4b00401c7c6ff6778016e52f93cc1b6380e0918eb961817d548a571fe7b0277a9ec1555a73df3ac983bf8a
-
Filesize
342B
MD5aacf46afcdd4b1a6a5ae3e05d31356bd
SHA1b41b13265d463833a86108464a9551e7b542130d
SHA2568d4ea381467d9f78dde2b371f23fab8ee93a2cccdeee1a203d4b77b85a3229c0
SHA512ddc692af4f78ede65b96af32a8d8e4329b3a670957b8a004374c79f824db704b31fcc17d6bc1c7b866945dfecf271980599526063c1323cd660694a1aff7a290
-
Filesize
342B
MD5116293d4bc0b11831e4d471dd654f37b
SHA1622331f3191be7ed4837297d0806d702aef927f4
SHA256a8a4fcbe78daf2a7ee9db62172b7f93409a38158f510a125c68042edfce36920
SHA512d9baf522e17fa5e71405b72d7d1b5a48e4043412e83e9833635391986301feb6593528538d91425cc10da9062293e502aca3d32ee1b924174373995f2cfe1b1b
-
Filesize
342B
MD5e545fd0695d9c1740f7b1bc0ad22f9e1
SHA100ba588371e8817933690d50096cc0b6d5e23e5c
SHA256ef51acb1bcaaadeee97669bf7bb6c54f0b37c337ceb1afb0b6474634eab1c56e
SHA512881fa1f4e8a543e15d9b4b2fb7fb24314a4c1e61b70b0015bb55a36b4206ef21e93a21dcc20f291b9635dc7ffe4689f7c096e4e1119edc768887f77646b94603
-
Filesize
342B
MD538325e1825b9beb5d0b9ead6333ea9c2
SHA10ec8de96eeb52250dce18632deb1ba1e8bc72ce0
SHA2560454fae1ba46d18e3cfa0bdd50c97a4ad340dd6bdb8cccba44b1e974c60b29c8
SHA512dc59e7123d232264d47e9d8445b8fb27de99ae55b3bf39d23bc4ec35d382bdd0335c0e7ab05a3bc14d136e3d0ca5c0354a56ee5911b7529ceab2f7d909307537
-
Filesize
342B
MD537d7b93de13caf3d178ce8c73cf8080f
SHA18a5c84c574580613e97c22c9a6906f8dbeef0716
SHA25605d6609e02553fa69486277bcf42536d94987c5b17069815bd5f7b24fe77de2b
SHA51202fec77a6ca5bdb94de8e0faf2c4d901dd4c3bced540f3c0c7220f76259d378c564cb6685792a6a3dfbdb65e0086eaa4e8347f4ee1f2210b94eadb804495300f
-
Filesize
342B
MD51a89ff19a166f0a3dacceb00af0c74ea
SHA15eb2f5357c069c21b3a937eb506c60778be08bbb
SHA25627dac4fcbefc168acd98a80d9d620896c9733493931a28ec31638dd42bac20c9
SHA512c1c0f6bbbc8351b3aebeefde46a75e71b03084bd41f800d48d9eed7da2aba563f2fadc3cb7f206669a9f179833cbf59a6a224e0020ea386a0cf09b75c1705ae4
-
Filesize
342B
MD5f84c4bc7f173b0a78260655dfbded06c
SHA19cc5f03d19e44c8c132253ebe9986b5480e5bc47
SHA256bfdaa9e08b18e0c0ab49a903a2df8477bdfeffa7e1f2a361e242b943381777f6
SHA5125186aea2262dc113ecde5751c78d7d99ec85b3741242935d1fd3d6cf03f76e9dcf05a689bbfd1b54aa24c09610d9ce18cbc9d88d70b4ebfbdf32c847b6180288
-
Filesize
342B
MD50b8784e8009afe2c8606c74b92bcf7d9
SHA1b0f16c26aad37ef57034143d655e5cb1935a4b6f
SHA25694b8f1e5149a53355911d1fac095ab859670980b86e8ed91f0f88974239dadf3
SHA51215dc8434c2e705b284ef68dc291529f3fac581ff1acab5fd1888c08475c134b35480fbdf1a4ac7a689d3683993a8e00fa509c8a3569001775a49f708aa7aac84
-
Filesize
241B
MD504e370fc720c065e7a7edf13302b7376
SHA13add3c14de4fbe9da428c35add0d1dd95d01b66b
SHA2565f1d5406fef1192e147b3a6a9f350336b7a56cc5b968780f7ad7de0973cd0f50
SHA51245fc4917e146a5ec64e747080f973c1b10f2207d6273ed4a122f467a78ebb99e074fbef6d29d0369d9f10de6044f42175987381f5eb8780c2fd693f100291e51
-
Filesize
241B
MD5eed603d3bfa3409312104c672128ef35
SHA1050275e8caecf9f40ac2db0f02569af2e684c7a4
SHA256ff218c5ef9ed18c36239e17df49c36ce88782cd8da635cf2abbbc92c78e3665c
SHA512adfa147cc9b84e999ad094fe9905917192b0ab29d21f2bab3f470bfead571e5c5897ea41ea920c36898b7c3b599f09571cdab5c09e2a35705ab8b6eb8611fb59
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
241B
MD51fa8de5459296b64abc98e3a35f9e5af
SHA1c208b645bbc657a8bffe41372911c1a3c10a4a32
SHA256fd9ca9dec7a653577729c2f15642a84829ac0c0c71744b5c1de4c2ca501cc873
SHA51285df7ee51c02cd52b8e4f7ae02260950e1df0c9124cca19b9a8d9d9ebeb79f5decd700a5a6c075c012c96f29c7a9739a959690fde1d897c1b3c2db61700b93c7
-
Filesize
241B
MD5d0170bed4ad83d677b2b3ac415a3b2b2
SHA12e76377f1dfcbcea9b538c0ccba51f79b5d3d5f7
SHA25645aea09419083b0468f37f2bce39dfb4f873b29d2bfb6a7dc56ae0c3bbf50341
SHA512037901db6c247741ed57ba4ceb041935848436c3d0a01b411f9d3f5d477a057c7bb20b5b1bae4754fc12daf3318ae13fdaf502ee1018ee976f228648043d2238
-
Filesize
241B
MD558212ad846dde287693275c2b9254077
SHA1b29a68ad29598066e41b391a2acc74b98e5d3bb9
SHA256f166df4c3a410347623cf0c484d7501f9261b4f155be0c007ae4e9dc984a0c26
SHA512165bd09ca440e3c8914242400115ce0a96d434733e054fa17c8fb947ebc10ccda8d3fa0ec5971fcf0ddb5d3c77143cae5e02e952e16e0507af1f060961fbe60b
-
Filesize
241B
MD5ef59b8c4424b420e9a5ed0770341c208
SHA17b1899e1bb63a4e6e725ba1b44a385b4a92e231e
SHA256a4eb9987f847e8dbaa3ebee5e960cd9b94b8dffcaedd1bbcc1eb8fb5d796e051
SHA512037d76fd65b50e57659adc790b9687aab67e45d905b0e74415d42073a5694eeec8aa40b1fc642a57a62b0cc1980ac090387f268b9f90895e0eda895d395b80d4
-
Filesize
241B
MD5564a1d4235ad278da2cfdabad3a17638
SHA13ccfbbf2e49b5287b7fb04279937b9417621244a
SHA2566828a65fec45fb70ca06d240a9b39826ea22fbbacb1b5158e4bde39a3f391aa2
SHA512cb6bac1acabec7732b340cdf4bca841b82fc6eb0d4132ba2d70a231e117b0277a156f9370d47f729282538259332cd9052ca8c0e6922f65c3fe03bbac3a7a45e
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
241B
MD5de7197d8e6c0291a1d2e8800a4a7970b
SHA1ab42851aef01caea5858fbcdc888d1acbcc9a812
SHA256cd5f1d5691dd8b8ec52b9f17af8ceefb58217253028a5d54a33eac12d8893271
SHA51219a94903f315fb45b90b51e62df699d409185a966aea7d787d2c03f4b4045b9670aefb63bbb092cb78743c100f5b422e0755a0db1fbf728bdbb52390327ed2e0
-
Filesize
241B
MD5411705ed1fccaedaefc0d5ffd93a6529
SHA16d07d7acbe4d546d315de75fb06faeb6dbfaf6bc
SHA25617a14fb629495554d8071e7bd72a9e318ec35d0f2cbf943efea1f20be0f7b0fc
SHA5122e50079695cccf5b8f6df3edf88da5ab78f87833ade057026c21afa46a17a5cfa5ed53d8d2ebd0fd592c891c16d45ffd809675523e680799579f78e406fea90c
-
Filesize
241B
MD5e06d955d50c7ac6dfb7b05b5d10d1a02
SHA14a82f093659e8e4f459ef878ebc2bae33281baf4
SHA256a160274fd5d4d151a952a9dea859e6408c99317b28d0aaffefe7b0d999ed8a64
SHA5124924defd45a9519a2b22b34fe08d82b2c5abf59633e683c43b31c7442ff7e2c377b4ffadefd46739c7db5e72c1ab93cd065781873a0ce4a47572a80e5441c946
-
Filesize
241B
MD5a1c2ad45bf9d2b9eaca7655fb94780d9
SHA17eaf86b3cbb4ca77e94fa6beb57baeb942eb5ed3
SHA256281ccab7e6e69603467ce8826845240da1c783b487dda21d79cc8de520f3f9ca
SHA512ea0568732fea39744506390b1fc2c7cd15bb767f3e2a8fc65aee4af325c90fa7519bc0265ac4dc850fd6a1c7112789ee35995aff3988f2c56b6153375549a60c
-
Filesize
241B
MD51672bf2bbb061f6e9c90790b2814cbe5
SHA10946582f20a1a793c5ab569faf813bef0eb72977
SHA2561b45d93271d497e4447413d10f1a42649b8f54545a153a57d1af9fb0a8cc90a3
SHA512a868e0fd6dbdba3a2e8bdf19dc28d2acede35a5fd159ff59f593a5d1cbad7c90a3c8c52716337cad7bf3d16d0fbb187ed827ccbe40bf3f669ea2ad6b5354877f
-
Filesize
7KB
MD58796b08acbe0f33837f27f6c24eda866
SHA1b0c1faeccbaeb0c166183dbceeecc0a0f1cfc4b5
SHA2567eecc6c710eed3458e8ff09a4779e7141942081f2425319c2b16019746603e5f
SHA5125ff879ec6a19cc2058e25649a755ab3b23e17661423966ef213e327914eadbbbb9455e99782526e3ee53a3bbf9adac3b1ccd24397448c0fb9159dfb105a41dac
-
Filesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
Filesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
Filesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
2.9MB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
32KB
-
Filesize
1.1MB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
72KB