Analysis
-
max time kernel
37s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 02:02
Behavioral task
behavioral1
Sample
d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe
Resource
win10v2004-20220812-en
General
-
Target
d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe
-
Size
255KB
-
MD5
56d4d2d9375e2130d5dd72f84f82c311
-
SHA1
cfc2258551d49bd5f239664532ec2cb8b1a8b95e
-
SHA256
d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091
-
SHA512
7c7d367042f48fc3a3b525cb4088f97276f566fe9f1367d7d6502382efb91ce6462e92d3a5b62b723f089a998a0d105a598b32742f8125c9230dfe28c9ba1a42
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJR:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIq
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avcfubnkzt.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avcfubnkzt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" avcfubnkzt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" avcfubnkzt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" avcfubnkzt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" avcfubnkzt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" avcfubnkzt.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" avcfubnkzt.exe -
Executes dropped EXE 2 IoCs
pid Process 1532 avcfubnkzt.exe 1648 vgzvlmwscezwykg.exe -
resource yara_rule behavioral1/memory/1668-55-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00140000000054ab-56.dat upx behavioral1/files/0x00140000000054ab-61.dat upx behavioral1/files/0x0009000000013a13-60.dat upx behavioral1/files/0x0006000000014159-65.dat upx behavioral1/files/0x0009000000013a13-66.dat upx behavioral1/files/0x000600000001420e-70.dat upx behavioral1/files/0x000600000001420e-72.dat upx behavioral1/files/0x0006000000014159-74.dat upx behavioral1/files/0x000600000001420e-75.dat upx behavioral1/files/0x0006000000014159-68.dat upx behavioral1/files/0x0009000000013a13-63.dat upx behavioral1/files/0x00140000000054ab-58.dat upx behavioral1/files/0x0006000000014159-76.dat upx behavioral1/files/0x0006000000014159-78.dat upx behavioral1/memory/1648-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/960-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/392-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/764-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1532-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1668-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/392-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/764-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/960-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1648-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1532-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Loads dropped DLL 3 IoCs
pid Process 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" avcfubnkzt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" avcfubnkzt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" avcfubnkzt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" avcfubnkzt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" avcfubnkzt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" avcfubnkzt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" avcfubnkzt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" avcfubnkzt.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\vgzvlmwscezwykg.exe d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe File opened for modification C:\Windows\SysWOW64\vgzvlmwscezwykg.exe d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe File created C:\Windows\SysWOW64\kxxhwxbc.exe d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe File opened for modification C:\Windows\SysWOW64\kxxhwxbc.exe d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe File created C:\Windows\SysWOW64\qrbwjhaqkeala.exe d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe File opened for modification C:\Windows\SysWOW64\qrbwjhaqkeala.exe d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe File created C:\Windows\SysWOW64\avcfubnkzt.exe d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe File opened for modification C:\Windows\SysWOW64\avcfubnkzt.exe d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" avcfubnkzt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs avcfubnkzt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FCFC485D826F9132D72F7D94BC97E146594267466332D7EC" d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat avcfubnkzt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc avcfubnkzt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" avcfubnkzt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf avcfubnkzt.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B05B44E639EA52C9B9A132E8D7C5" d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F068B6FF6621DDD27CD0D68B0E9060" d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C60B1590DABEB8CD7FE3EDE534C7" d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFACAFE67F2E4837C3B35819C3E92B08C02F14262023EE2BE42EB08D4" d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" avcfubnkzt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" avcfubnkzt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" avcfubnkzt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D7E9C5183596D4276D270512CAE7C8465DD" d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh avcfubnkzt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" avcfubnkzt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg avcfubnkzt.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1532 avcfubnkzt.exe 1532 avcfubnkzt.exe 1532 avcfubnkzt.exe 1532 avcfubnkzt.exe 1532 avcfubnkzt.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1532 avcfubnkzt.exe 1532 avcfubnkzt.exe 1532 avcfubnkzt.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 1532 avcfubnkzt.exe 1532 avcfubnkzt.exe 1532 avcfubnkzt.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1668 wrote to memory of 1532 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 24 PID 1668 wrote to memory of 1532 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 24 PID 1668 wrote to memory of 1532 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 24 PID 1668 wrote to memory of 1532 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 24 PID 1668 wrote to memory of 1648 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 28 PID 1668 wrote to memory of 1648 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 28 PID 1668 wrote to memory of 1648 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 28 PID 1668 wrote to memory of 1648 1668 d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe"C:\Users\Admin\AppData\Local\Temp\d6eb2aa7073347eb2e2945dde3060989d6c1236d2cb9004e4b890963f2ac3091.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\avcfubnkzt.exeavcfubnkzt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1532 -
C:\Windows\SysWOW64\kxxhwxbc.exeC:\Windows\system32\kxxhwxbc.exe3⤵PID:392
-
-
-
C:\Windows\SysWOW64\qrbwjhaqkeala.exeqrbwjhaqkeala.exe2⤵PID:764
-
-
C:\Windows\SysWOW64\kxxhwxbc.exekxxhwxbc.exe2⤵PID:960
-
-
C:\Windows\SysWOW64\vgzvlmwscezwykg.exevgzvlmwscezwykg.exe2⤵
- Executes dropped EXE
PID:1648
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵PID:820
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD5d8b6d922677a81601b287e9a523dddac
SHA16684bdae989343e131fc8ce986e9e4bbd6c1ff09
SHA256d259fa307e64ece0c0fcf58a0b5849c0c029c2af7a338c3f49b233a4cfb1c9bd
SHA5122ec9c1b3d9d0e00254950845d3d23c87e832bcc0248269166a3ab2a583b5b94b07def937f82e2b4b959051a57ec34666d21ffb1354268cc75573167239f5d944
-
Filesize
37KB
MD5d552f78deb9cb7be5821d16959a02f09
SHA19adc69b6baf964d61a838da0009095b616d35d18
SHA2562a697d87cde1e429016935ba1ae732e44d4a5f4428eb35078bb44879e86aeb1b
SHA512254078f7eae3ccc9915c9c36edf35812396de030d9503e3af67470253603a60bc953297c39ff6aad0d93f6c5732ac7a27d666881e06e0ea9c51b987f644e7d03
-
Filesize
32KB
MD581043ad75db2ff1d7aad7f7ceeae7696
SHA16393abd7c8c7ec36eac77b77118dd7739499a8e0
SHA256c2421d56cf57cf9989da4cdfd0f688538b1f78924ffd3719a507114f92ddcf25
SHA5128af5122afa4ecff1bde1fa51ab62a529599074a83ba398cc56cf8c7e02184e2cc02457c5e58dc9e4deecfa11943dadc1798f22075a1e207ca16dd3385446ff8a
-
Filesize
22KB
MD52e330e880e19679c7b9f46e5eb564ba6
SHA1701e42b2e10f4325cda7fc4b41b9a551259da61d
SHA256cd1d83caba8a801ee794cd74658024b8fc8fbf94465898b92a70f75bb2e0c233
SHA512f59dead6bf57f79f107aa138cd40bd132a17910ac0a47f9589d22868d932c5934fb7e1bb366b5fc4aab2b7539216086fbf376bb254e00d47dcbf99019e1eee78
-
Filesize
34KB
MD558ffa14fcfa627f7770f1831205a4525
SHA1e58b60ac4e59562d7664b217d5d34916ace3c125
SHA256682bf0bae1dff84dab2ee4c9f398e28a45b4b8f23b6bf628e34d3b4c8777b9d2
SHA512df99c0c3ff69c79cb219592c2182c3be9a7e6ae52b6119b207397978e064994259ee82f386216b2222287ea125eb5fca4d396e89c25a01b19b9f846a18050eaf
-
Filesize
41KB
MD5444682a903cd575c0c659c0c8252cb42
SHA1e76780303849d98ece47f681fb65d14bb4f39fcd
SHA25644bc8c70eb54ed665b9ee419b9dd6e1d9fcf1623cdafdd1ed4a639f25dd1fa7a
SHA512f335e913ad5b93f9bf99ee7af2d85b832ad5db4ff06ea3cd8fe645289dc6e494c8b04ae55d5195f57cdf39f19d48622b9767879d1451a8543b1a48ece48a0019
-
Filesize
31KB
MD56ff2a7c37a47f6ef843f1bbd8b0aed4d
SHA171821862efcd6a64dcd2115b57ad19b0529ef715
SHA25632ceb513502ef3d33295df3d642524575d10a241f883c01211473a060e353d5d
SHA5128daf55b12529bb6f891a787ff0f16d9e76208c7bb30edda8fafe9c98ae2cddee1f9deeb8196c58f8f2379f87241661d7252f450a42899d286340872eb5729a39
-
Filesize
48KB
MD532760de89400557f3d02d8b30f775be4
SHA121f91c2bf55d5fcb2532eb9f201e3ec4ea4025b9
SHA256c71a0df1f95df6cb3894112b735cc01eebef86d2e11193d35522c2a4b82aefba
SHA51268269bca90648c059abac2f5725ea2d17a109e09a60cd6779bf72bbf858610699af69cbb0df2a469dac04e5d08a047aee1e35347555331aa4396d3274350eb65
-
Filesize
24KB
MD5558eb9a3ff224ce83f2d920a778e6eed
SHA10242ad966dd44aaa593b1a3acf3427085e2fe3bd
SHA256f1c83d7bfd2cc3648ee3b3d7a2a7467e65bd54817633b6c66bc2ce4a7968badf
SHA512ebe3387ce850672cc36dc5f6b46b793b3f1a20e977f5378fd7745ce3ad891ee7ba93762b0e29fc9a0f1e0e9075e542ada52aecd8e557d8e533e5e987c11b422a
-
Filesize
27KB
MD576c24f8bc57e7f411984c4ecbfba8276
SHA19c2a1e0c3e0f574890a11fb0690d64af2877f2c3
SHA25639f0be7b3f0649beae8608da5a40c6c3b07c58d735948928c245b95c6ca8cc9b
SHA51296aeb206291df0763d85f3939bc66fa197633ba6d94ee2038aa0cfccfe21ee357896d616f60667e58c7968ded07615bb34fee82e0277454b8ba17ea85d6c74fc
-
Filesize
22KB
MD55d5bfcb43bcf3ead077f1156759e32eb
SHA17c4b39b54a08048b61222e3af8d44652d62050d5
SHA2567a7e993ba54913a4d9f56be731d8ca359d7e282efe44dfba730112c4ccf6f6e4
SHA512e647a1b08c87b61608d3944f5fbae365017bd584ed092836cf17af1ab4489f4acd9f157669cb05f46662c591f3bcfa5489e63972bcba37a163fa6c84a384379b
-
Filesize
19KB
MD5d864c6d7b1647ccbcacc5f960e88e035
SHA1fdda001ff638ad26035916716c3cbd66a5a0cb9d
SHA256b6de72e71161a8e483761abb9d271da238b89096a186be95f391adbf12d25e8c
SHA512de0c99898b456e322daf2befb733ccbaeb202f220adf00a4cccb1a2004ccba503fac2ed522dd1b4453ca0bf47f40b55caa9d36da9e46f00c26b828dc92faad06
-
Filesize
47KB
MD5b0c5a337e535ba98aefe8b3ec7d1b079
SHA105d112f877b0b41ab342b11d0e5a381864d0cc57
SHA256bd60172d0ffcb5ac13bd244de41f70ec4f75b271febbfba915500f8249b4e748
SHA512b036e71b75c63c5b3e34dc114ffe81c771d704fb48c1b9c8edec5c48b1e29b59dfd61f41519a8b7904c2ae5dd603d751512de7182a620cd1563a8baffb7ae35d
-
Filesize
56KB
MD5867d7ae0498eb4505b460f524efaf1f1
SHA15f3f72df38685dffef305a0add8879671d515b8e
SHA256638318c6488c1a8d2aa24a75ed7af8260c587c1d0ed8d78913b922960cc49cb4
SHA5122f93bb3731170dff60e308474d571de8b28a74b6550bfcd2feb8295be47a49c38cadb122157aadb4229a005a86fbd265ad603606d43c935f969c44233947ce95