Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
08-05-2021 13:01
Static task
static1
Behavioral task
behavioral1
Sample
AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe
Resource
win7v20210410
General
-
Target
AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe
-
Size
444KB
-
MD5
fd442753c3895d868eed72f7854e2fba
-
SHA1
477dc12f213dd05a15b61207926b478d3a0d04c7
-
SHA256
aadde71205336ccdd048f0b5029becbbcd03e741045f406b2fa819b909809202
-
SHA512
1a7ff91196019abe9dfa93bfaca299ecd87693ef173560951b4d55f9d0c66355535bef724de26865205419e7638e57c762e332d7eff85187e9695f0a92e1d0c2
Malware Config
Signatures
-
CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 1936 cmd.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 988 bcdedit.exe 212 bcdedit.exe -
Executes dropped EXE 3 IoCs
Processes:
7za.exe2D4F861D8D.exe2D4F861D8D.exepid process 1688 7za.exe 1476 2D4F861D8D.exe 1728 2D4F861D8D.exe -
Processes:
resource yara_rule behavioral1/memory/1728-84-0x0000000000400000-0x0000000000E28000-memory.dmp upx behavioral1/memory/1728-89-0x0000000000400000-0x000000000041A000-memory.dmp upx -
Drops startup file 2 IoCs
Processes:
2D4F861D8D.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta 2D4F861D8D.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta 2D4F861D8D.exe -
Loads dropped DLL 5 IoCs
Processes:
AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exevssadmin.exepid process 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 1476 vssadmin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vssadmin.exedescription pid process target process PID 1476 set thread context of 1728 1476 vssadmin.exe 2D4F861D8D.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1476 vssadmin.exe -
Processes:
WINWORD.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 384 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vssadmin.exe2D4F861D8D.exepid process 1476 vssadmin.exe 1728 2D4F861D8D.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2D4F861D8D.exeWMIC.exevssvc.exedescription pid process Token: SeImpersonatePrivilege 1728 2D4F861D8D.exe Token: SeTcbPrivilege 1728 2D4F861D8D.exe Token: SeChangeNotifyPrivilege 1728 2D4F861D8D.exe Token: SeCreateTokenPrivilege 1728 2D4F861D8D.exe Token: SeBackupPrivilege 1728 2D4F861D8D.exe Token: SeRestorePrivilege 1728 2D4F861D8D.exe Token: SeIncreaseQuotaPrivilege 1728 2D4F861D8D.exe Token: SeAssignPrimaryTokenPrivilege 1728 2D4F861D8D.exe Token: SeIncreaseQuotaPrivilege 324 WMIC.exe Token: SeSecurityPrivilege 324 WMIC.exe Token: SeTakeOwnershipPrivilege 324 WMIC.exe Token: SeLoadDriverPrivilege 324 WMIC.exe Token: SeSystemProfilePrivilege 324 WMIC.exe Token: SeSystemtimePrivilege 324 WMIC.exe Token: SeProfSingleProcessPrivilege 324 WMIC.exe Token: SeIncBasePriorityPrivilege 324 WMIC.exe Token: SeCreatePagefilePrivilege 324 WMIC.exe Token: SeBackupPrivilege 324 WMIC.exe Token: SeRestorePrivilege 324 WMIC.exe Token: SeShutdownPrivilege 324 WMIC.exe Token: SeDebugPrivilege 324 WMIC.exe Token: SeSystemEnvironmentPrivilege 324 WMIC.exe Token: SeRemoteShutdownPrivilege 324 WMIC.exe Token: SeUndockPrivilege 324 WMIC.exe Token: SeManageVolumePrivilege 324 WMIC.exe Token: 33 324 WMIC.exe Token: 34 324 WMIC.exe Token: 35 324 WMIC.exe Token: SeIncreaseQuotaPrivilege 324 WMIC.exe Token: SeSecurityPrivilege 324 WMIC.exe Token: SeTakeOwnershipPrivilege 324 WMIC.exe Token: SeLoadDriverPrivilege 324 WMIC.exe Token: SeSystemProfilePrivilege 324 WMIC.exe Token: SeSystemtimePrivilege 324 WMIC.exe Token: SeProfSingleProcessPrivilege 324 WMIC.exe Token: SeIncBasePriorityPrivilege 324 WMIC.exe Token: SeCreatePagefilePrivilege 324 WMIC.exe Token: SeBackupPrivilege 324 WMIC.exe Token: SeRestorePrivilege 324 WMIC.exe Token: SeShutdownPrivilege 324 WMIC.exe Token: SeDebugPrivilege 324 WMIC.exe Token: SeSystemEnvironmentPrivilege 324 WMIC.exe Token: SeRemoteShutdownPrivilege 324 WMIC.exe Token: SeUndockPrivilege 324 WMIC.exe Token: SeManageVolumePrivilege 324 WMIC.exe Token: 33 324 WMIC.exe Token: 34 324 WMIC.exe Token: 35 324 WMIC.exe Token: SeBackupPrivilege 1328 vssvc.exe Token: SeRestorePrivilege 1328 vssvc.exe Token: SeAuditPrivilege 1328 vssvc.exe Token: SeImpersonatePrivilege 1728 2D4F861D8D.exe Token: SeTcbPrivilege 1728 2D4F861D8D.exe Token: SeChangeNotifyPrivilege 1728 2D4F861D8D.exe Token: SeCreateTokenPrivilege 1728 2D4F861D8D.exe Token: SeBackupPrivilege 1728 2D4F861D8D.exe Token: SeRestorePrivilege 1728 2D4F861D8D.exe Token: SeIncreaseQuotaPrivilege 1728 2D4F861D8D.exe Token: SeAssignPrimaryTokenPrivilege 1728 2D4F861D8D.exe Token: SeImpersonatePrivilege 1728 2D4F861D8D.exe Token: SeTcbPrivilege 1728 2D4F861D8D.exe Token: SeChangeNotifyPrivilege 1728 2D4F861D8D.exe Token: SeCreateTokenPrivilege 1728 2D4F861D8D.exe Token: SeBackupPrivilege 1728 2D4F861D8D.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
2D4F861D8D.exeWINWORD.EXEpid process 1476 2D4F861D8D.exe 1476 2D4F861D8D.exe 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exevssadmin.exe2D4F861D8D.execmd.exedescription pid process target process PID 1088 wrote to memory of 1704 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1704 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1704 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1704 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 608 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 608 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 608 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 608 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1652 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1652 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1652 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1652 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1688 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 7za.exe PID 1088 wrote to memory of 1688 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 7za.exe PID 1088 wrote to memory of 1688 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 7za.exe PID 1088 wrote to memory of 1688 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 7za.exe PID 1088 wrote to memory of 1312 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1312 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1312 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1312 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 384 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe WINWORD.EXE PID 1088 wrote to memory of 384 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe WINWORD.EXE PID 1088 wrote to memory of 384 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe WINWORD.EXE PID 1088 wrote to memory of 384 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe WINWORD.EXE PID 1088 wrote to memory of 616 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 616 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 616 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 616 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 1476 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 2D4F861D8D.exe PID 1088 wrote to memory of 1476 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 2D4F861D8D.exe PID 1088 wrote to memory of 1476 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 2D4F861D8D.exe PID 1088 wrote to memory of 1476 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe 2D4F861D8D.exe PID 1088 wrote to memory of 816 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 816 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 816 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1088 wrote to memory of 816 1088 AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe cmd.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1476 wrote to memory of 1728 1476 vssadmin.exe 2D4F861D8D.exe PID 1728 wrote to memory of 1592 1728 2D4F861D8D.exe mshta.exe PID 1728 wrote to memory of 1592 1728 2D4F861D8D.exe mshta.exe PID 1728 wrote to memory of 1592 1728 2D4F861D8D.exe mshta.exe PID 1728 wrote to memory of 1592 1728 2D4F861D8D.exe mshta.exe PID 1728 wrote to memory of 324 1728 2D4F861D8D.exe WMIC.exe PID 1728 wrote to memory of 324 1728 2D4F861D8D.exe WMIC.exe PID 1728 wrote to memory of 324 1728 2D4F861D8D.exe WMIC.exe PID 1728 wrote to memory of 324 1728 2D4F861D8D.exe WMIC.exe PID 1080 wrote to memory of 1476 1080 cmd.exe vssadmin.exe PID 1080 wrote to memory of 1476 1080 cmd.exe vssadmin.exe PID 1080 wrote to memory of 1476 1080 cmd.exe vssadmin.exe PID 1080 wrote to memory of 988 1080 cmd.exe bcdedit.exe PID 1080 wrote to memory of 988 1080 cmd.exe bcdedit.exe PID 1080 wrote to memory of 988 1080 cmd.exe bcdedit.exe PID 1080 wrote to memory of 212 1080 cmd.exe bcdedit.exe PID 1080 wrote to memory of 212 1080 cmd.exe bcdedit.exe PID 1080 wrote to memory of 212 1080 cmd.exe bcdedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe"C:\Users\Admin\AppData\Local\Temp\AADDE71205336CCDD048F0B5029BECBBCD03E741045F4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F2⤵PID:1704
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\CF8C8F" 7za.exe2⤵PID:608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F2⤵PID:1652
-
-
C:\Users\Admin\AppData\Local\Temp\7za.exe"C:\Users\Admin\AppData\Local\Temp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\2D4F861D8D" -y -p2D4F861D8D2⤵
- Executes dropped EXE
PID:1688
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F2⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:384
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F2⤵PID:616
-
-
C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe"C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe"C:\Users\Admin\AppData\Local\Temp\2D4F861D8D.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"4⤵
- Modifies Internet Explorer settings
PID:1592
-
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo 2D4F861D8DCF8C8F2⤵PID:816
-
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Interacts with shadow copies
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:988
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:212
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
0d71756d71d650cd42fcf4ab2bbda4b6
SHA11e70029a39eaf97becc86adff1092d016e0f2542
SHA256dd6da51ab136eec3f2fac7570bddff39d11b3bbef6f791c9a6e898520a9f4c1f
SHA512112bd91aa6573f80100d8c1b5804d1faaf7b1d78afb79d8f42ebec5d71512ffb8102d58b9b73b9b2d2a13331c611d822543ff08caca0288720e7520972864bde
-
MD5
efe5c5a45d6b6746daa3272d09e175d7
SHA180a805c3e5a73a121ecbc2c2aed0b2e846890477
SHA2565f0156b73d2b9f5d0a999734812ca0d0881fe683a331737df9ded5d24a145271
SHA512410553b0c58e699fb83557815cdc4e22dec1b14e870326f62dd09c2e26bd8d5c8a1fde66470a55f1cfa4b076be66747595f83cfa71070d38c6d7f01846b70a75
-
MD5
efcd0a5ec6bb1d981333bf9dea7a72ee
SHA1b9ca0a20adcf6c69dd626e0de86468e4a5514fe3
SHA256718e07ae563bcf629616ac3f056930e804af88e38377b98629ba60257f666699
SHA512dd41d489164891a5c8c2c582f77f6b8c8b54360849ec38b7af0fec4b28137172a4ef9cc2fe6eb10726431152751f3affbc1dd19671bff841742404d809180457
-
MD5
810f74773b1d921274c3766df5c00445
SHA190d547916e077dbb6fe56b215df4bc86b936a6f6
SHA25655eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f
SHA512e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388
-
MD5
810f74773b1d921274c3766df5c00445
SHA190d547916e077dbb6fe56b215df4bc86b936a6f6
SHA25655eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f
SHA512e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388
-
MD5
810f74773b1d921274c3766df5c00445
SHA190d547916e077dbb6fe56b215df4bc86b936a6f6
SHA25655eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f
SHA512e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388
-
MD5
42badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
MD5
42badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
MD5
1cf60361078e1c2f1219d27c4b3e760c
SHA108d350d205da687672b13e22b253932dd1708e75
SHA256c2d9c1bd8bb434dffd5ebbd0e8020ee73123f2e8134b19cbde4b6458f0d05a43
SHA51290f973c08c663dc7ca8575196ca2d6939bbeb9e1943268e8c8bae3b5cd895e85f654726924c86a0f1ffca4830f05c75ac6e80b44d4adeff345e9ff2cacaacccb
-
MD5
810f74773b1d921274c3766df5c00445
SHA190d547916e077dbb6fe56b215df4bc86b936a6f6
SHA25655eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f
SHA512e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388
-
MD5
810f74773b1d921274c3766df5c00445
SHA190d547916e077dbb6fe56b215df4bc86b936a6f6
SHA25655eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f
SHA512e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388
-
MD5
810f74773b1d921274c3766df5c00445
SHA190d547916e077dbb6fe56b215df4bc86b936a6f6
SHA25655eee544f1210a27540b418936b2e1240dcf6818fb4023374596621a91f6438f
SHA512e4d8d6ae1629021e28a55e459e1e8835142a19c3c9c97b195a523e2487cac6f46e366b3c0c39ef504e1943d7c74c76d461c963d0153dca1fadf3452c499f7388
-
MD5
42badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
MD5
42badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c