Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 06:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe
-
Size
1.2MB
-
MD5
1eb9eea740e4165eb9ae5dcee0d72862
-
SHA1
28dae67732b6584ef476b4c2900c40680cedacf6
-
SHA256
38f9dc7d43224d245fa5c1405fb3f624e2659f28655a59fc5737973b84cc282f
-
SHA512
f06301398fdf04fc4a6dad837373ed421343570e87a1080c76545f62409ee5ac4efca60ec4585317a82f0def8f6a8d238985e9dbad37a336667f1d2b53b6cb6b
-
SSDEEP
24576:SAQoDefT6HesrQrSDZhyZ+aan+mMfqZaRfAuYLNH9pRBFZIlPed9775:SAcGHC2ZUZ+umWea+NPpRB/Iped977
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 2 IoCs
resource yara_rule behavioral2/memory/1116-39-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades behavioral2/memory/1116-38-0x0000000000400000-0x000000000047B000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\D3Sept.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D3Sept.exe:*:Enabled:Windows Messanger" reg.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation audiadg.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation D3.exe -
Executes dropped EXE 4 IoCs
pid Process 3600 sarkoth.exe 2108 D3.exe 3580 audiadg.exe 864 bcdprov.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\audiadg.exe" audiadg.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000a000000023b64-7.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2108 set thread context of 1116 2108 D3.exe 93 PID 864 set thread context of 420 864 bcdprov.exe 109 -
resource yara_rule behavioral2/memory/1116-35-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1116-37-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1116-39-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1116-38-0x0000000000400000-0x000000000047B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcdprov.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language D3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiadg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3636 reg.exe 4108 reg.exe 1316 reg.exe 2104 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 2108 D3.exe 2108 D3.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe 3580 audiadg.exe 2108 D3.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 4880 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe Token: SeDebugPrivilege 2108 D3.exe Token: 1 1116 AppLaunch.exe Token: SeCreateTokenPrivilege 1116 AppLaunch.exe Token: SeAssignPrimaryTokenPrivilege 1116 AppLaunch.exe Token: SeLockMemoryPrivilege 1116 AppLaunch.exe Token: SeIncreaseQuotaPrivilege 1116 AppLaunch.exe Token: SeMachineAccountPrivilege 1116 AppLaunch.exe Token: SeTcbPrivilege 1116 AppLaunch.exe Token: SeSecurityPrivilege 1116 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1116 AppLaunch.exe Token: SeLoadDriverPrivilege 1116 AppLaunch.exe Token: SeSystemProfilePrivilege 1116 AppLaunch.exe Token: SeSystemtimePrivilege 1116 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1116 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1116 AppLaunch.exe Token: SeCreatePagefilePrivilege 1116 AppLaunch.exe Token: SeCreatePermanentPrivilege 1116 AppLaunch.exe Token: SeBackupPrivilege 1116 AppLaunch.exe Token: SeRestorePrivilege 1116 AppLaunch.exe Token: SeShutdownPrivilege 1116 AppLaunch.exe Token: SeDebugPrivilege 1116 AppLaunch.exe Token: SeAuditPrivilege 1116 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1116 AppLaunch.exe Token: SeChangeNotifyPrivilege 1116 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1116 AppLaunch.exe Token: SeUndockPrivilege 1116 AppLaunch.exe Token: SeSyncAgentPrivilege 1116 AppLaunch.exe Token: SeEnableDelegationPrivilege 1116 AppLaunch.exe Token: SeManageVolumePrivilege 1116 AppLaunch.exe Token: SeImpersonatePrivilege 1116 AppLaunch.exe Token: SeCreateGlobalPrivilege 1116 AppLaunch.exe Token: 31 1116 AppLaunch.exe Token: 32 1116 AppLaunch.exe Token: 33 1116 AppLaunch.exe Token: 34 1116 AppLaunch.exe Token: 35 1116 AppLaunch.exe Token: SeDebugPrivilege 3580 audiadg.exe Token: SeDebugPrivilege 864 bcdprov.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe -
Suspicious use of SendNotifyMessage 10 IoCs
pid Process 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe 3600 sarkoth.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1116 AppLaunch.exe 1116 AppLaunch.exe 1116 AppLaunch.exe 1116 AppLaunch.exe 420 AppLaunch.exe 420 AppLaunch.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 4880 wrote to memory of 3600 4880 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 83 PID 4880 wrote to memory of 3600 4880 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 83 PID 4880 wrote to memory of 2108 4880 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 84 PID 4880 wrote to memory of 2108 4880 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 84 PID 4880 wrote to memory of 2108 4880 JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe 84 PID 2108 wrote to memory of 1116 2108 D3.exe 93 PID 2108 wrote to memory of 1116 2108 D3.exe 93 PID 2108 wrote to memory of 1116 2108 D3.exe 93 PID 2108 wrote to memory of 1116 2108 D3.exe 93 PID 2108 wrote to memory of 1116 2108 D3.exe 93 PID 2108 wrote to memory of 1116 2108 D3.exe 93 PID 2108 wrote to memory of 1116 2108 D3.exe 93 PID 2108 wrote to memory of 1116 2108 D3.exe 93 PID 1116 wrote to memory of 748 1116 AppLaunch.exe 94 PID 1116 wrote to memory of 748 1116 AppLaunch.exe 94 PID 1116 wrote to memory of 748 1116 AppLaunch.exe 94 PID 1116 wrote to memory of 1556 1116 AppLaunch.exe 95 PID 1116 wrote to memory of 1556 1116 AppLaunch.exe 95 PID 1116 wrote to memory of 1556 1116 AppLaunch.exe 95 PID 1116 wrote to memory of 2804 1116 AppLaunch.exe 96 PID 1116 wrote to memory of 2804 1116 AppLaunch.exe 96 PID 1116 wrote to memory of 2804 1116 AppLaunch.exe 96 PID 1116 wrote to memory of 3180 1116 AppLaunch.exe 97 PID 1116 wrote to memory of 3180 1116 AppLaunch.exe 97 PID 1116 wrote to memory of 3180 1116 AppLaunch.exe 97 PID 2804 wrote to memory of 3636 2804 cmd.exe 102 PID 2804 wrote to memory of 3636 2804 cmd.exe 102 PID 2804 wrote to memory of 3636 2804 cmd.exe 102 PID 748 wrote to memory of 4108 748 cmd.exe 103 PID 748 wrote to memory of 4108 748 cmd.exe 103 PID 748 wrote to memory of 4108 748 cmd.exe 103 PID 3180 wrote to memory of 1316 3180 cmd.exe 104 PID 3180 wrote to memory of 1316 3180 cmd.exe 104 PID 3180 wrote to memory of 1316 3180 cmd.exe 104 PID 1556 wrote to memory of 2104 1556 cmd.exe 105 PID 1556 wrote to memory of 2104 1556 cmd.exe 105 PID 1556 wrote to memory of 2104 1556 cmd.exe 105 PID 2108 wrote to memory of 3580 2108 D3.exe 106 PID 2108 wrote to memory of 3580 2108 D3.exe 106 PID 2108 wrote to memory of 3580 2108 D3.exe 106 PID 3580 wrote to memory of 864 3580 audiadg.exe 107 PID 3580 wrote to memory of 864 3580 audiadg.exe 107 PID 3580 wrote to memory of 864 3580 audiadg.exe 107 PID 864 wrote to memory of 420 864 bcdprov.exe 109 PID 864 wrote to memory of 420 864 bcdprov.exe 109 PID 864 wrote to memory of 420 864 bcdprov.exe 109 PID 864 wrote to memory of 420 864 bcdprov.exe 109 PID 864 wrote to memory of 420 864 bcdprov.exe 109 PID 864 wrote to memory of 420 864 bcdprov.exe 109 PID 864 wrote to memory of 420 864 bcdprov.exe 109 PID 864 wrote to memory of 420 864 bcdprov.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1eb9eea740e4165eb9ae5dcee0d72862.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\Software\sarkoth.exe"C:\Users\Admin\AppData\Local\Temp\Software\sarkoth.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3600
-
-
C:\Users\Admin\AppData\Local\Temp\Software\D3.exe"C:\Users\Admin\AppData\Local\Temp\Software\D3.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2104
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\D3Sept.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1316
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\audiadg.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"C:\Users\Admin\AppData\Local\Temp\bcdprov.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:420
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
340KB
MD5486fdb3d60c7811dee22742cca9f93dc
SHA1d59ae0af20b78abfd351482cb1c93f62f4cf469f
SHA256eacf7057eff4e24be433c7437053d5dc34b1c32e9373d723281780cbd8144c68
SHA51261f8eaf774678b82a494865f96c799ae1aa2ca00fd5e75b3cc28e4d802cc7343b02a7e44c8bd1d9c31f7b93441f2c5d4793eb4689458f3c81bcd5b2ae28b56f0
-
Filesize
813KB
MD5953d441e4dbbce93ffb02fe1bb203e34
SHA177917fb53535e770137fb6915f8db37ae5464ea4
SHA25666da1f6e8952366700054e3bf9c1ca20a58fa1df58d8783c1389f358bdf3513d
SHA51277b37d091c55cc8f7f8b455c26e9e47898e83795d6890316f529715fdd3981aac50917ab6677170b705731c40d49b0646d234fe38e6cbb3c334c7a4c7aa257dd
-
Filesize
11KB
MD59b3848f7bd575120a33fb480774b5b6b
SHA19a7ef7a9b4f946f4ddbe2fadb3c52f1fd6991045
SHA256271f73350c0e95d765fe1ccbf4b1fae1f7b62b62a723472a65f562ceab22d791
SHA51202a7364ff655f0a4345b7428f577396a8ec7347f2d8466f4d957b7dd3909baf6b7b403135450b3f142ea275452fbfb418f64f075fba11f808640479d726a73b3