Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 09:12
Static task
static1
Behavioral task
behavioral1
Sample
OCOLZ552720.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
OCOLZ552720.js
Resource
win10v20201028
General
-
Target
OCOLZ552720.js
-
Size
195KB
-
MD5
86f5e65bcc64e04ba7946d8071f213b1
-
SHA1
403129cb5514917a278e91e0643f852964912c03
-
SHA256
ba68c2acc5b4ce72444fd74f4dab6661bad90e865b0992d5ff9bb4afe32f3557
-
SHA512
8580b921516571a57edcf22de46be1b938167a19278fa1f2eb3de6994198a9d6e3d305f18dfe1ed8e293c2ab0ffb2464a5788756c3be3fd02cb352b5af3d691d
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rtwfngte.txt java.exe -
Loads dropped DLL 3 IoCs
Processes:
java.exejava.exejava.exepid process 4024 java.exe 3108 java.exe 2100 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
java.exejava.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\rtwfngte = "\"C:\\Users\\Admin\\AppData\\Roaming\\rtwfngte.txt\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rtwfngte = "\"C:\\Users\\Admin\\AppData\\Roaming\\rtwfngte.txt\"" java.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp" java.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 612 WMIC.exe Token: SeSecurityPrivilege 612 WMIC.exe Token: SeTakeOwnershipPrivilege 612 WMIC.exe Token: SeLoadDriverPrivilege 612 WMIC.exe Token: SeSystemProfilePrivilege 612 WMIC.exe Token: SeSystemtimePrivilege 612 WMIC.exe Token: SeProfSingleProcessPrivilege 612 WMIC.exe Token: SeIncBasePriorityPrivilege 612 WMIC.exe Token: SeCreatePagefilePrivilege 612 WMIC.exe Token: SeBackupPrivilege 612 WMIC.exe Token: SeRestorePrivilege 612 WMIC.exe Token: SeShutdownPrivilege 612 WMIC.exe Token: SeDebugPrivilege 612 WMIC.exe Token: SeSystemEnvironmentPrivilege 612 WMIC.exe Token: SeRemoteShutdownPrivilege 612 WMIC.exe Token: SeUndockPrivilege 612 WMIC.exe Token: SeManageVolumePrivilege 612 WMIC.exe Token: 33 612 WMIC.exe Token: 34 612 WMIC.exe Token: 35 612 WMIC.exe Token: 36 612 WMIC.exe Token: SeIncreaseQuotaPrivilege 612 WMIC.exe Token: SeSecurityPrivilege 612 WMIC.exe Token: SeTakeOwnershipPrivilege 612 WMIC.exe Token: SeLoadDriverPrivilege 612 WMIC.exe Token: SeSystemProfilePrivilege 612 WMIC.exe Token: SeSystemtimePrivilege 612 WMIC.exe Token: SeProfSingleProcessPrivilege 612 WMIC.exe Token: SeIncBasePriorityPrivilege 612 WMIC.exe Token: SeCreatePagefilePrivilege 612 WMIC.exe Token: SeBackupPrivilege 612 WMIC.exe Token: SeRestorePrivilege 612 WMIC.exe Token: SeShutdownPrivilege 612 WMIC.exe Token: SeDebugPrivilege 612 WMIC.exe Token: SeSystemEnvironmentPrivilege 612 WMIC.exe Token: SeRemoteShutdownPrivilege 612 WMIC.exe Token: SeUndockPrivilege 612 WMIC.exe Token: SeManageVolumePrivilege 612 WMIC.exe Token: 33 612 WMIC.exe Token: 34 612 WMIC.exe Token: 35 612 WMIC.exe Token: 36 612 WMIC.exe Token: SeIncreaseQuotaPrivilege 3892 WMIC.exe Token: SeSecurityPrivilege 3892 WMIC.exe Token: SeTakeOwnershipPrivilege 3892 WMIC.exe Token: SeLoadDriverPrivilege 3892 WMIC.exe Token: SeSystemProfilePrivilege 3892 WMIC.exe Token: SeSystemtimePrivilege 3892 WMIC.exe Token: SeProfSingleProcessPrivilege 3892 WMIC.exe Token: SeIncBasePriorityPrivilege 3892 WMIC.exe Token: SeCreatePagefilePrivilege 3892 WMIC.exe Token: SeBackupPrivilege 3892 WMIC.exe Token: SeRestorePrivilege 3892 WMIC.exe Token: SeShutdownPrivilege 3892 WMIC.exe Token: SeDebugPrivilege 3892 WMIC.exe Token: SeSystemEnvironmentPrivilege 3892 WMIC.exe Token: SeRemoteShutdownPrivilege 3892 WMIC.exe Token: SeUndockPrivilege 3892 WMIC.exe Token: SeManageVolumePrivilege 3892 WMIC.exe Token: 33 3892 WMIC.exe Token: 34 3892 WMIC.exe Token: 35 3892 WMIC.exe Token: 36 3892 WMIC.exe Token: SeIncreaseQuotaPrivilege 3892 WMIC.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
wscript.exejavaw.exewscript.exejavaw.exejava.execmd.exejava.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1036 wrote to memory of 2612 1036 wscript.exe javaw.exe PID 1036 wrote to memory of 2612 1036 wscript.exe javaw.exe PID 2612 wrote to memory of 3244 2612 javaw.exe wscript.exe PID 2612 wrote to memory of 3244 2612 javaw.exe wscript.exe PID 3244 wrote to memory of 2756 3244 wscript.exe javaw.exe PID 3244 wrote to memory of 2756 3244 wscript.exe javaw.exe PID 2756 wrote to memory of 4024 2756 javaw.exe java.exe PID 2756 wrote to memory of 4024 2756 javaw.exe java.exe PID 4024 wrote to memory of 188 4024 java.exe cmd.exe PID 4024 wrote to memory of 188 4024 java.exe cmd.exe PID 4024 wrote to memory of 3108 4024 java.exe java.exe PID 4024 wrote to memory of 3108 4024 java.exe java.exe PID 188 wrote to memory of 2180 188 cmd.exe schtasks.exe PID 188 wrote to memory of 2180 188 cmd.exe schtasks.exe PID 3108 wrote to memory of 2100 3108 java.exe java.exe PID 3108 wrote to memory of 2100 3108 java.exe java.exe PID 3108 wrote to memory of 3060 3108 java.exe cmd.exe PID 3108 wrote to memory of 3060 3108 java.exe cmd.exe PID 3060 wrote to memory of 612 3060 cmd.exe WMIC.exe PID 3060 wrote to memory of 612 3060 cmd.exe WMIC.exe PID 3108 wrote to memory of 4048 3108 java.exe cmd.exe PID 3108 wrote to memory of 4048 3108 java.exe cmd.exe PID 4048 wrote to memory of 3892 4048 cmd.exe WMIC.exe PID 4048 wrote to memory of 3892 4048 cmd.exe WMIC.exe PID 3108 wrote to memory of 1348 3108 java.exe cmd.exe PID 3108 wrote to memory of 1348 3108 java.exe cmd.exe PID 1348 wrote to memory of 2196 1348 cmd.exe WMIC.exe PID 1348 wrote to memory of 2196 1348 cmd.exe WMIC.exe PID 3108 wrote to memory of 1320 3108 java.exe cmd.exe PID 3108 wrote to memory of 1320 3108 java.exe cmd.exe PID 1320 wrote to memory of 804 1320 cmd.exe WMIC.exe PID 1320 wrote to memory of 804 1320 cmd.exe WMIC.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\OCOLZ552720.js1⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bwkbv.txt"2⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\fquimaihdd.js3⤵
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"4⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\rtwfngte.txt"5⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp7⤵
- Loads dropped DLL
- Adds Run key to start application
PID:2100
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"7⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list8⤵
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"7⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"7⤵
- Suspicious use of WriteProcessMemory
PID:1348
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"7⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list8⤵PID:804
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"6⤵
- Suspicious use of WriteProcessMemory
PID:188 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"7⤵
- Creates scheduled task(s)
PID:2180
-
-
-
-
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list1⤵PID:2196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
29d27d3eb502ab954775fdd49198a60c
SHA126d8acd31bf7b6c59b7d56bfba0da8e5f74f895e
SHA256a40eccf26e7768d4bdc79aa815b5167b10e9ab81905b6b5f8d331a3570efc9a1
SHA5128d1d83424caed8074a1313b70f8297837111292ab182f53171700ddf4098669120b882f8361d9a22bcb49106e24f3c3c116c845c791c90f8486a28590889af39
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\83aa4cc77f591dfc2374580bbd95f6ba_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
MD5
8c8bd4c98378cbfd170cef3fea63ad10
SHA1289800651479f0f5180c2bd85330933cd84d9f55
SHA256e0384f56f6db64896fbc40b41f82e2559abf10880fd618677867c23d45ab003c
SHA51295cb754afd2e61f8849b640c14ee1940667d29f6cf215664c17e3206ad58e236ccea2cc0070f9d2246b92257db5361804053f30f2a9dd25ad39cbc0f0f9bd163
-
MD5
acfb5b5fd9ee10bf69497792fd469f85
SHA10e0845217c4907822403912ad6828d8e0b256208
SHA256b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa
-
MD5
2f4a99c2758e72ee2b59a73586a2322f
SHA1af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA25624d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494
-
MD5
b33387e15ab150a7bf560abdc73c3bec
SHA166b8075784131f578ef893fd7674273f709b9a4c
SHA2562eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA51225cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279
-
MD5
e1aa38a1e78a76a6de73efae136cdb3a
SHA1c463da71871f780b2e2e5dba115d43953b537daf
SHA2562ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d
-
MD5
0414a9d9911fa094e029be12bf629f6b
SHA1987e79d11e4240c387d3009894f8f29dbfb3c940
SHA25698528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4
SHA5120bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3
-
MD5
0414a9d9911fa094e029be12bf629f6b
SHA1987e79d11e4240c387d3009894f8f29dbfb3c940
SHA25698528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4
SHA5120bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3
-
MD5
0414a9d9911fa094e029be12bf629f6b
SHA1987e79d11e4240c387d3009894f8f29dbfb3c940
SHA25698528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4
SHA5120bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3
-
MD5
b544135c8bde6ae3eb47f3fffab790e0
SHA1127e34ec41a98affd2c3ca2e6c51aa9678363771
SHA25688917bfabede7854485f688d3b0e1f3fa49e49cd4935b58df0bca5e9c975ecd5
SHA512df0448ac0e1353401222a29ef4f30bb40f2dd0583b2d8101f6f7d725b25636d3b6f9c51d452627d06dcc704ab7c872c9c46c469431b4952db1402d29843aeffc
-
MD5
acfb5b5fd9ee10bf69497792fd469f85
SHA10e0845217c4907822403912ad6828d8e0b256208
SHA256b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa
-
MD5
2f4a99c2758e72ee2b59a73586a2322f
SHA1af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA25624d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494
-
MD5
b33387e15ab150a7bf560abdc73c3bec
SHA166b8075784131f578ef893fd7674273f709b9a4c
SHA2562eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA51225cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279
-
MD5
e1aa38a1e78a76a6de73efae136cdb3a
SHA1c463da71871f780b2e2e5dba115d43953b537daf
SHA2562ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d
-
MD5
0414a9d9911fa094e029be12bf629f6b
SHA1987e79d11e4240c387d3009894f8f29dbfb3c940
SHA25698528533c73fac9d93db386d2390e006f5b26545d521140c3196303c991b4bc4
SHA5120bc6120addf889a14d50799e3d0c60a035fffc3d169d87be65442f3643c7ceefaef09379bca2c6aca6c226e0127d2a19d32525225c2bca3b63c673ba222903f3
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372
-
MD5
e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372