Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05/09/2022, 23:31
Static task
static1
Behavioral task
behavioral1
Sample
6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
Resource
win10v2004-20220901-en
General
-
Target
6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe
-
Size
5.1MB
-
MD5
0727f10acffae1a2fbad5bdee8606d77
-
SHA1
25a2190e389051017b0b512c0caa0e56d185d80a
-
SHA256
6b2d7c8bdedb901d80c89717c9889abf169c9059d8bb545af6ca1960660324ad
-
SHA512
f5fdd04b5dd1882b99dcff66e21ee2eb6efe5032f25130f3ca67fc089c841fbdd48e495fdf370e0460833e6f8848c48069174298181db45e8857bdb4c5bed781
-
SSDEEP
98304:pAI+7WP8CGcEUNHnorSJwvvGBrHBHA8Fn6KhPpXjX2oPIn23U4jKuK5rQjKg0OFB:itM8C9EUN96viBHFn6Uhr/I23UEKuK58
Malware Config
Extracted
privateloader
http://212.193.30.45/proxies.txt
http://45.144.225.57/server.txt
http://wfsdragon.ru/api/setStats.php
2.56.59.42
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral2/memory/4184-153-0x0000000000030000-0x0000000000039000-memory.dmp family_smokeloader behavioral2/memory/2284-163-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/2284-167-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/2284-238-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
FFDroider payload 8 IoCs
resource yara_rule behavioral2/memory/4528-149-0x0000000000400000-0x0000000000AF0000-memory.dmp family_ffdroider behavioral2/memory/4528-150-0x0000000000400000-0x0000000000AF0000-memory.dmp family_ffdroider behavioral2/memory/4528-152-0x0000000000400000-0x0000000000AF0000-memory.dmp family_ffdroider behavioral2/memory/4528-154-0x0000000000400000-0x0000000000AF0000-memory.dmp family_ffdroider behavioral2/memory/4528-159-0x0000000000400000-0x0000000000AF0000-memory.dmp family_ffdroider behavioral2/memory/4528-166-0x0000000000400000-0x0000000000AF0000-memory.dmp family_ffdroider behavioral2/memory/4528-401-0x0000000000400000-0x0000000000AF0000-memory.dmp family_ffdroider behavioral2/memory/4528-902-0x0000000000400000-0x0000000000AF0000-memory.dmp family_ffdroider -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x0003000000022dc3-137.dat WebBrowserPassView behavioral2/files/0x0003000000022dc3-136.dat WebBrowserPassView behavioral2/files/0x0002000000022dc8-162.dat WebBrowserPassView behavioral2/memory/2024-158-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral2/files/0x0002000000022dc8-157.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x0003000000022dc3-137.dat Nirsoft behavioral2/files/0x0003000000022dc3-136.dat Nirsoft behavioral2/files/0x0002000000022dc8-162.dat Nirsoft behavioral2/memory/2024-158-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/files/0x0002000000022dc8-157.dat Nirsoft -
Executes dropped EXE 7 IoCs
pid Process 2972 inst2.exe 1576 rtst1039.exe 4528 jg1_1faf.exe 4184 toolspab2.exe 2724 Cube_WW9.exe 2024 11111.exe 2284 toolspab2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg1_1faf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4528 jg1_1faf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4184 set thread context of 2284 4184 toolspab2.exe 90 -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\rtst1039.exe 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\toolspab2.exe 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe File created C:\Program Files (x86)\Company\NewProduct\d jg1_1faf.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d jg1_1faf.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst2.exe 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d.jfm jg1_1faf.exe File created C:\Program Files (x86)\Company\NewProduct\d.jfm jg1_1faf.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW jg1_1faf.exe File created C:\Program Files (x86)\Company\NewProduct\tmp.edb jg1_1faf.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2024 11111.exe 2024 11111.exe 2284 toolspab2.exe 2284 toolspab2.exe 2024 11111.exe 2024 11111.exe 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2056 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2284 toolspab2.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeManageVolumePrivilege 4528 jg1_1faf.exe Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4816 wrote to memory of 2972 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 82 PID 4816 wrote to memory of 2972 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 82 PID 4816 wrote to memory of 2972 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 82 PID 4816 wrote to memory of 1576 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 83 PID 4816 wrote to memory of 1576 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 83 PID 4816 wrote to memory of 4528 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 84 PID 4816 wrote to memory of 4528 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 84 PID 4816 wrote to memory of 4528 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 84 PID 4816 wrote to memory of 4184 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 85 PID 4816 wrote to memory of 4184 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 85 PID 4816 wrote to memory of 4184 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 85 PID 4816 wrote to memory of 2724 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 87 PID 4816 wrote to memory of 2724 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 87 PID 4816 wrote to memory of 2724 4816 6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe 87 PID 1576 wrote to memory of 2024 1576 rtst1039.exe 88 PID 1576 wrote to memory of 2024 1576 rtst1039.exe 88 PID 1576 wrote to memory of 2024 1576 rtst1039.exe 88 PID 4184 wrote to memory of 2284 4184 toolspab2.exe 90 PID 4184 wrote to memory of 2284 4184 toolspab2.exe 90 PID 4184 wrote to memory of 2284 4184 toolspab2.exe 90 PID 4184 wrote to memory of 2284 4184 toolspab2.exe 90 PID 4184 wrote to memory of 2284 4184 toolspab2.exe 90 PID 4184 wrote to memory of 2284 4184 toolspab2.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe"C:\Users\Admin\AppData\Local\Temp\6B2D7C8BDEDB901D80C89717C9889ABF169C9059D8BB5.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"2⤵
- Executes dropped EXE
PID:2972
-
-
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2024
-
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"C:\Program Files (x86)\Company\NewProduct\toolspab2.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2284
-
-
-
C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe"C:\Program Files (x86)\Company\NewProduct\Cube_WW9.exe"2⤵
- Executes dropped EXE
PID:2724
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD5e88a59876ea9ad978cadc4fe3105f23f
SHA1aa3a48f01218b9d0e55c3629bb689b05d135d508
SHA256764cc1739087f72db37602c60fd7ec8303114f46c1c4a338fbf1ff3d9d181b03
SHA5129fe4fa68b35d14095be5e31098fcff6d7b6b4a409fbc2800051ce8a6525e0f8344675aa07cd39d2d081e32acd31d9a2eed081113e14e9c0d23c2d2f0e5b68419
-
Filesize
137KB
MD5e88a59876ea9ad978cadc4fe3105f23f
SHA1aa3a48f01218b9d0e55c3629bb689b05d135d508
SHA256764cc1739087f72db37602c60fd7ec8303114f46c1c4a338fbf1ff3d9d181b03
SHA5129fe4fa68b35d14095be5e31098fcff6d7b6b4a409fbc2800051ce8a6525e0f8344675aa07cd39d2d081e32acd31d9a2eed081113e14e9c0d23c2d2f0e5b68419
-
Filesize
201KB
MD50aa9f08b7bc4d4bb3ce7d578f7b6005b
SHA1c0b0f1ebfb84d3b571281e5adfbe0ad5b071a1c5
SHA256a7536ca66bf434d6c9a5d1e56aa2c82e84c54dea530d0a4eabc3a30385d5ddcb
SHA5127f8b6d0c4fb63dff3e7dd3c289d603c7ce253bd77ca35e87962a53aea7869a37410bf4a51e7bff95f859bbe207e00f36d9cdf0b4646406773a27daebc325c7fc
-
Filesize
201KB
MD50aa9f08b7bc4d4bb3ce7d578f7b6005b
SHA1c0b0f1ebfb84d3b571281e5adfbe0ad5b071a1c5
SHA256a7536ca66bf434d6c9a5d1e56aa2c82e84c54dea530d0a4eabc3a30385d5ddcb
SHA5127f8b6d0c4fb63dff3e7dd3c289d603c7ce253bd77ca35e87962a53aea7869a37410bf4a51e7bff95f859bbe207e00f36d9cdf0b4646406773a27daebc325c7fc
-
Filesize
4.1MB
MD503c055e021d1f56cfe74badffe93e7bc
SHA184493871e54d877a4aedf64f56c41ce3be8305c5
SHA2568ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319
SHA5125379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae
-
Filesize
4.1MB
MD503c055e021d1f56cfe74badffe93e7bc
SHA184493871e54d877a4aedf64f56c41ce3be8305c5
SHA2568ec4968d0cb5229ccd04ce31658100c2c47cc7af99c33903447f5182ea3e5319
SHA5125379616c9ba54e8a4b669e34b8ba589d1a8c59812d431355c48ea72278cce47d52d9eafad225a9bbae9c9cd92a31288232bb789bc2d28e2828dfb93da2fd7aae
-
Filesize
2.0MB
MD5fe18d0f0f56abf84f421f7961206d5d1
SHA16685e8c651d2b2342b7a6f717360cb05d5455fe7
SHA256efd4d7544f985545e2fd3377d0a9af6852315fa2eb4d0b14b3c4ac36dee6ce80
SHA51274c216d1dddee3108fb80c5139af62efa6b3c855ce5468c5a4ec057fd29ef2cf5df74a145bd45fe70235ed2f45ed2839b319358e9c5523f60d5cfeff54f07669
-
Filesize
2.0MB
MD5fe18d0f0f56abf84f421f7961206d5d1
SHA16685e8c651d2b2342b7a6f717360cb05d5455fe7
SHA256efd4d7544f985545e2fd3377d0a9af6852315fa2eb4d0b14b3c4ac36dee6ce80
SHA51274c216d1dddee3108fb80c5139af62efa6b3c855ce5468c5a4ec057fd29ef2cf5df74a145bd45fe70235ed2f45ed2839b319358e9c5523f60d5cfeff54f07669
-
Filesize
300KB
MD58c23cc666860658e657dc4652a48ff91
SHA1deebc6a7e00db0b79c52f1d922efa05dbca3333e
SHA256a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333
SHA5120cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942
-
Filesize
300KB
MD58c23cc666860658e657dc4652a48ff91
SHA1deebc6a7e00db0b79c52f1d922efa05dbca3333e
SHA256a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333
SHA5120cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942
-
Filesize
300KB
MD58c23cc666860658e657dc4652a48ff91
SHA1deebc6a7e00db0b79c52f1d922efa05dbca3333e
SHA256a7ee420fd3a477e690dab56f47b264dd6c8376941101065d6645716bbf4b6333
SHA5120cf8a4071903672291effbcf10ab5f801cf364ba72fd4ef87f96e3d5957df9921f2c36bae1ef1db1b735c7c52dd59f18fbdfbdf4cfe2006d3390df0c3ef00942
-
Filesize
391KB
MD57165e9d7456520d1f1644aa26da7c423
SHA1177f9116229a021e24f80c4059999c4c52f9e830
SHA25640ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
SHA512fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb
-
Filesize
391KB
MD57165e9d7456520d1f1644aa26da7c423
SHA1177f9116229a021e24f80c4059999c4c52f9e830
SHA25640ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67
SHA512fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb
-
Filesize
1KB
MD5be84c357ee07d286e53d9d183f5b4529
SHA1eef9d37e45b04e477a9ca046c9b4d1bcb429b3f8
SHA256809da252b6acc51ab3cccd55bfa1e3dbbb2ad46426040c511fa9e57ce633047b
SHA512b0be722a2ce85592319e8dcb4a7ebeef01e90d60305b114220782b4f6bb205f6161259af156320db9f500977a73dbb57ac6c0e469f32014465e4c9f421e1f4f7