Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2022, 06:42
Static task
static1
Behavioral task
behavioral1
Sample
32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
Resource
win10v2004-20220812-en
General
-
Target
32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe
-
Size
277KB
-
MD5
51df6c86fbfd306188018609adba4068
-
SHA1
6169ea83c701474374f08be9220e8a16fb628386
-
SHA256
32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee
-
SHA512
60ef0f212ff87b1fd2284e860360d746d410dcfa052d168babc867712d9d0ca2fb8fe5583118b5e29ff372e34dd1e501be24fa31fc112cb3c61bbf485e7d2c9f
-
SSDEEP
3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCmp+Mm1tfYBDjJFdrRlow2sRxDZc91HvHaHv:gDCwfG1bnxM1SF9FdbokZcvHm
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TMKNGOMU = "W_X_C.bat" WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 4928 avscan.exe 652 avscan.exe 220 hosts.exe 2388 hosts.exe 1524 avscan.exe 524 hosts.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run hosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe File created C:\windows\W_X_C.vbs 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe File created \??\c:\windows\W_X_C.bat 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe File opened for modification C:\Windows\hosts.exe 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 7 IoCs
pid Process 2508 REG.exe 4460 REG.exe 420 REG.exe 3632 REG.exe 3024 REG.exe 3276 REG.exe 1000 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4928 avscan.exe 2388 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4768 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe 4928 avscan.exe 652 avscan.exe 220 hosts.exe 2388 hosts.exe 1524 avscan.exe 524 hosts.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 4768 wrote to memory of 4460 4768 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe 83 PID 4768 wrote to memory of 4460 4768 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe 83 PID 4768 wrote to memory of 4460 4768 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe 83 PID 4768 wrote to memory of 4928 4768 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe 85 PID 4768 wrote to memory of 4928 4768 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe 85 PID 4768 wrote to memory of 4928 4768 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe 85 PID 4928 wrote to memory of 652 4928 avscan.exe 87 PID 4928 wrote to memory of 652 4928 avscan.exe 87 PID 4928 wrote to memory of 652 4928 avscan.exe 87 PID 4768 wrote to memory of 1452 4768 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe 89 PID 4768 wrote to memory of 1452 4768 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe 89 PID 4768 wrote to memory of 1452 4768 32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe 89 PID 4928 wrote to memory of 2828 4928 avscan.exe 88 PID 4928 wrote to memory of 2828 4928 avscan.exe 88 PID 4928 wrote to memory of 2828 4928 avscan.exe 88 PID 2828 wrote to memory of 220 2828 cmd.exe 93 PID 2828 wrote to memory of 220 2828 cmd.exe 93 PID 2828 wrote to memory of 220 2828 cmd.exe 93 PID 1452 wrote to memory of 2388 1452 cmd.exe 92 PID 1452 wrote to memory of 2388 1452 cmd.exe 92 PID 1452 wrote to memory of 2388 1452 cmd.exe 92 PID 2388 wrote to memory of 1524 2388 hosts.exe 94 PID 2388 wrote to memory of 1524 2388 hosts.exe 94 PID 2388 wrote to memory of 1524 2388 hosts.exe 94 PID 2388 wrote to memory of 3168 2388 hosts.exe 95 PID 2388 wrote to memory of 3168 2388 hosts.exe 95 PID 2388 wrote to memory of 3168 2388 hosts.exe 95 PID 3168 wrote to memory of 524 3168 cmd.exe 97 PID 3168 wrote to memory of 524 3168 cmd.exe 97 PID 3168 wrote to memory of 524 3168 cmd.exe 97 PID 2828 wrote to memory of 4200 2828 cmd.exe 100 PID 2828 wrote to memory of 4200 2828 cmd.exe 100 PID 2828 wrote to memory of 4200 2828 cmd.exe 100 PID 3168 wrote to memory of 784 3168 cmd.exe 98 PID 3168 wrote to memory of 784 3168 cmd.exe 98 PID 3168 wrote to memory of 784 3168 cmd.exe 98 PID 1452 wrote to memory of 4740 1452 cmd.exe 99 PID 1452 wrote to memory of 4740 1452 cmd.exe 99 PID 1452 wrote to memory of 4740 1452 cmd.exe 99 PID 4928 wrote to memory of 420 4928 avscan.exe 105 PID 4928 wrote to memory of 420 4928 avscan.exe 105 PID 4928 wrote to memory of 420 4928 avscan.exe 105 PID 2388 wrote to memory of 3632 2388 hosts.exe 107 PID 2388 wrote to memory of 3632 2388 hosts.exe 107 PID 2388 wrote to memory of 3632 2388 hosts.exe 107 PID 4928 wrote to memory of 3024 4928 avscan.exe 112 PID 4928 wrote to memory of 3024 4928 avscan.exe 112 PID 4928 wrote to memory of 3024 4928 avscan.exe 112 PID 2388 wrote to memory of 3276 2388 hosts.exe 114 PID 2388 wrote to memory of 3276 2388 hosts.exe 114 PID 2388 wrote to memory of 3276 2388 hosts.exe 114 PID 4928 wrote to memory of 1000 4928 avscan.exe 117 PID 4928 wrote to memory of 1000 4928 avscan.exe 117 PID 4928 wrote to memory of 1000 4928 avscan.exe 117 PID 2388 wrote to memory of 2508 2388 hosts.exe 118 PID 2388 wrote to memory of 2508 2388 hosts.exe 118 PID 2388 wrote to memory of 2508 2388 hosts.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe"C:\Users\Admin\AppData\Local\Temp\32c98cfa5a760d583aa65d4ed1ad2e1f5d0faf0098a20a4881fde3eba7bba8ee.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:220
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:4200
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:420
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:3024
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\windows\hosts.exeC:\windows\hosts.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:524
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"5⤵
- Adds policy Run key to start application
PID:784
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:3632
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:3276
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:2508
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:4740
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2624
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD55d6c608fb4d62c8a808a8d4b2b8abefd
SHA1671a4a0219b76362150f92a34b0956d6bff45736
SHA2562a305f131a10ff533de79d4602a77ede7f8e72585bf889c6c96e5e5b98bf74a1
SHA512cbad9003cc8dad3853204fdd320814947d4e82e43356b4b1980fce3148210418fde1e6ab6fb6db19c9c0007a2fb6706fe20ef6dd4c08b8add79f7d69e4057beb
-
Filesize
277KB
MD55d6c608fb4d62c8a808a8d4b2b8abefd
SHA1671a4a0219b76362150f92a34b0956d6bff45736
SHA2562a305f131a10ff533de79d4602a77ede7f8e72585bf889c6c96e5e5b98bf74a1
SHA512cbad9003cc8dad3853204fdd320814947d4e82e43356b4b1980fce3148210418fde1e6ab6fb6db19c9c0007a2fb6706fe20ef6dd4c08b8add79f7d69e4057beb
-
Filesize
277KB
MD55d6c608fb4d62c8a808a8d4b2b8abefd
SHA1671a4a0219b76362150f92a34b0956d6bff45736
SHA2562a305f131a10ff533de79d4602a77ede7f8e72585bf889c6c96e5e5b98bf74a1
SHA512cbad9003cc8dad3853204fdd320814947d4e82e43356b4b1980fce3148210418fde1e6ab6fb6db19c9c0007a2fb6706fe20ef6dd4c08b8add79f7d69e4057beb
-
Filesize
277KB
MD55d6c608fb4d62c8a808a8d4b2b8abefd
SHA1671a4a0219b76362150f92a34b0956d6bff45736
SHA2562a305f131a10ff533de79d4602a77ede7f8e72585bf889c6c96e5e5b98bf74a1
SHA512cbad9003cc8dad3853204fdd320814947d4e82e43356b4b1980fce3148210418fde1e6ab6fb6db19c9c0007a2fb6706fe20ef6dd4c08b8add79f7d69e4057beb
-
Filesize
195B
MD5c35f93e634b81f2cb003c72a1fb9d1f2
SHA19b6c533eebab7958e9e167ab93a412d5411c7a89
SHA2566afae199db9be5b7c4c5dac778ec8c45051666d11f93dd93c1700beb20e1136f
SHA5125cc512763da54bc66ffff42e02dc28ad9cda03e46a8b9181425c619815fb7c7afe3a71fc73742e151e26de7a21ade101e59d6853fe70b7d99ea93195325c010d
-
Filesize
277KB
MD5a926b51f8f71a07e17af3fd7aa0f0cd0
SHA105b1a3faccda80d726add1b5ce4e230c9ec849ca
SHA25680eb4ac7f2a124a4d96fd83ef9abe46ffd1ef7bd35286f6e4980d227890a7f40
SHA5122c266e39113a1fabc6b64c70f5b895ebfd70286127160da3d4c960cd9d58575bdc0cff83747002daeb18d95f07b3f187c873559a8dcaf3ec5ff5ed55b3be339e
-
Filesize
277KB
MD5a926b51f8f71a07e17af3fd7aa0f0cd0
SHA105b1a3faccda80d726add1b5ce4e230c9ec849ca
SHA25680eb4ac7f2a124a4d96fd83ef9abe46ffd1ef7bd35286f6e4980d227890a7f40
SHA5122c266e39113a1fabc6b64c70f5b895ebfd70286127160da3d4c960cd9d58575bdc0cff83747002daeb18d95f07b3f187c873559a8dcaf3ec5ff5ed55b3be339e
-
Filesize
277KB
MD5a926b51f8f71a07e17af3fd7aa0f0cd0
SHA105b1a3faccda80d726add1b5ce4e230c9ec849ca
SHA25680eb4ac7f2a124a4d96fd83ef9abe46ffd1ef7bd35286f6e4980d227890a7f40
SHA5122c266e39113a1fabc6b64c70f5b895ebfd70286127160da3d4c960cd9d58575bdc0cff83747002daeb18d95f07b3f187c873559a8dcaf3ec5ff5ed55b3be339e
-
Filesize
277KB
MD5a926b51f8f71a07e17af3fd7aa0f0cd0
SHA105b1a3faccda80d726add1b5ce4e230c9ec849ca
SHA25680eb4ac7f2a124a4d96fd83ef9abe46ffd1ef7bd35286f6e4980d227890a7f40
SHA5122c266e39113a1fabc6b64c70f5b895ebfd70286127160da3d4c960cd9d58575bdc0cff83747002daeb18d95f07b3f187c873559a8dcaf3ec5ff5ed55b3be339e
-
Filesize
277KB
MD5a926b51f8f71a07e17af3fd7aa0f0cd0
SHA105b1a3faccda80d726add1b5ce4e230c9ec849ca
SHA25680eb4ac7f2a124a4d96fd83ef9abe46ffd1ef7bd35286f6e4980d227890a7f40
SHA5122c266e39113a1fabc6b64c70f5b895ebfd70286127160da3d4c960cd9d58575bdc0cff83747002daeb18d95f07b3f187c873559a8dcaf3ec5ff5ed55b3be339e
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b