Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24/05/2022, 00:39
Static task
static1
Behavioral task
behavioral1
Sample
4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
Resource
win7-20220414-en
General
-
Target
4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
-
Size
263KB
-
MD5
582fb65add01ce95d827b96006a3ff42
-
SHA1
d8931a791f8ef3d4015aec2bffa47808e28877b5
-
SHA256
4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01
-
SHA512
6e2194abfba98c6723040b9d4e801a8d4e75cc8449d408638fa80edfa11865cad9d01b768c21919ed863f3e7f97d258930ccbbf6acbc0e65c730ead79f5c7141
Malware Config
Signatures
-
Detects PlugX Payload 5 IoCs
resource yara_rule behavioral1/memory/1384-67-0x0000000000330000-0x0000000000360000-memory.dmp family_plugx behavioral1/memory/1100-83-0x0000000000340000-0x0000000000370000-memory.dmp family_plugx behavioral1/memory/1644-85-0x0000000000310000-0x0000000000340000-memory.dmp family_plugx behavioral1/memory/1760-86-0x00000000003C0000-0x00000000003F0000-memory.dmp family_plugx behavioral1/memory/548-91-0x0000000000300000-0x0000000000330000-memory.dmp family_plugx -
Executes dropped EXE 3 IoCs
pid Process 1384 Nv.exe 1644 Nv.exe 1100 Nv.exe -
Deletes itself 1 IoCs
pid Process 1384 Nv.exe -
Loads dropped DLL 8 IoCs
pid Process 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 1384 Nv.exe 1644 Nv.exe 1100 Nv.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 33 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{83CBA60A-0B93-4B28-9EE5-597968409073}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-54-ce-26-d3-f1 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{83CBA60A-0B93-4B28-9EE5-597968409073}\26-54-ce-26-d3-f1 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-54-ce-26-d3-f1\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{83CBA60A-0B93-4B28-9EE5-597968409073} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0096000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{83CBA60A-0B93-4B28-9EE5-597968409073}\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{83CBA60A-0B93-4B28-9EE5-597968409073}\WpadDecisionTime = 3073669a176fd801 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-54-ce-26-d3-f1\WpadDecisionTime = 3073669a176fd801 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{83CBA60A-0B93-4B28-9EE5-597968409073}\WpadNetworkName = "Network 2" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-54-ce-26-d3-f1\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 43004100380037004500330033004200420038004200430039003700310031000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1384 Nv.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 1760 svchost.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 1760 svchost.exe 1760 svchost.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 1760 svchost.exe 1760 svchost.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 1760 svchost.exe 1760 svchost.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 1760 svchost.exe 1760 svchost.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 1760 svchost.exe 1760 svchost.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 1760 svchost.exe 1760 svchost.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 548 msiexec.exe 1760 svchost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1384 Nv.exe Token: SeTcbPrivilege 1384 Nv.exe Token: SeDebugPrivilege 1644 Nv.exe Token: SeTcbPrivilege 1644 Nv.exe Token: SeDebugPrivilege 1100 Nv.exe Token: SeTcbPrivilege 1100 Nv.exe Token: SeDebugPrivilege 1760 svchost.exe Token: SeTcbPrivilege 1760 svchost.exe Token: SeDebugPrivilege 548 msiexec.exe Token: SeTcbPrivilege 548 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1836 wrote to memory of 1384 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 28 PID 1836 wrote to memory of 1384 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 28 PID 1836 wrote to memory of 1384 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 28 PID 1836 wrote to memory of 1384 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 28 PID 1836 wrote to memory of 1384 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 28 PID 1836 wrote to memory of 1384 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 28 PID 1836 wrote to memory of 1384 1836 4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe 28 PID 1100 wrote to memory of 1760 1100 Nv.exe 31 PID 1100 wrote to memory of 1760 1100 Nv.exe 31 PID 1100 wrote to memory of 1760 1100 Nv.exe 31 PID 1100 wrote to memory of 1760 1100 Nv.exe 31 PID 1100 wrote to memory of 1760 1100 Nv.exe 31 PID 1100 wrote to memory of 1760 1100 Nv.exe 31 PID 1100 wrote to memory of 1760 1100 Nv.exe 31 PID 1100 wrote to memory of 1760 1100 Nv.exe 31 PID 1100 wrote to memory of 1760 1100 Nv.exe 31 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33 PID 1760 wrote to memory of 548 1760 svchost.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 100 13841⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 01⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 17602⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
120KB
MD5e1e6d954482a108020c8e471bd0790e4
SHA1138def3945437e9d81902f00b1119795140ae8bf
SHA2569f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954
SHA5127573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5
-
Filesize
41KB
MD592b5a067fc1866b933eade6ebd4e1564
SHA191c38bb2d1993dde1068550e42580c4d2993a5c1
SHA256632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6
SHA5123f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691
-
Filesize
460B
MD50d95b47d60e5105f0cb96db0b56eed7f
SHA16cc916996385b1d4e96d146e33c608e8909d73d1
SHA256ec79cf65b0924186661933df2c8665a272c6a7f45a0ccfcd49e8c93307580e0c
SHA5129f7cecd68429815a6b1ab366adc916dd26b84c6b99b4990c4e303e0bb6c5c893c9c7e3628c4a59915ef7bad8d5120bf2fb4ee0789114d2aaa20796a5b9b09e27
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
120KB
MD5e1e6d954482a108020c8e471bd0790e4
SHA1138def3945437e9d81902f00b1119795140ae8bf
SHA2569f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954
SHA5127573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5
-
Filesize
41KB
MD592b5a067fc1866b933eade6ebd4e1564
SHA191c38bb2d1993dde1068550e42580c4d2993a5c1
SHA256632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6
SHA5123f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691
-
Filesize
41KB
MD592b5a067fc1866b933eade6ebd4e1564
SHA191c38bb2d1993dde1068550e42580c4d2993a5c1
SHA256632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6
SHA5123f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691
-
Filesize
41KB
MD592b5a067fc1866b933eade6ebd4e1564
SHA191c38bb2d1993dde1068550e42580c4d2993a5c1
SHA256632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6
SHA5123f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
Filesize
41KB
MD592b5a067fc1866b933eade6ebd4e1564
SHA191c38bb2d1993dde1068550e42580c4d2993a5c1
SHA256632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6
SHA5123f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691