Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230824-en -
resource tags
arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2023, 03:22
Static task
static1
Behavioral task
behavioral1
Sample
a7d5611c9f290c13b3e187e558a162e4fbc0151216d94c3714b7036c9aa216d0.exe
Resource
win10v2004-20230824-en
General
-
Target
a7d5611c9f290c13b3e187e558a162e4fbc0151216d94c3714b7036c9aa216d0.exe
-
Size
703KB
-
MD5
3adcafaa7f7cec8c379bca747968a357
-
SHA1
07398aeb9a25993322f638dc524bbda6458365da
-
SHA256
a7d5611c9f290c13b3e187e558a162e4fbc0151216d94c3714b7036c9aa216d0
-
SHA512
78b2ff6673d3d237f2fa351a5752954722782b55c662dd2d46ab9961dfbf1c3b872107d154aee0c4287b73f274cd070e0207f9f4eb30dad44751a132633bb20c
-
SSDEEP
12288:PMr+y90RoCVX6bjjoOtXgtdst7qzHJDZ0AJZVtAyghewk2DW6W:VyWGjoMX2ucDZ0UtANA2qL
Malware Config
Extracted
amadey
3.87
77.91.68.18/nice/index.php
Extracted
redline
stas
77.91.124.82:19071
-
auth_value
db6d96c4eade05afc28c31d9ad73a73c
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/files/0x0007000000023006-26.dat healer behavioral1/files/0x0007000000023006-27.dat healer behavioral1/memory/520-28-0x0000000000BC0000-0x0000000000BCA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection g2345617.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" g2345617.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" g2345617.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" g2345617.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" g2345617.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" g2345617.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 9 IoCs
pid Process 3060 x1544785.exe 3128 x1590648.exe 2868 x6078510.exe 520 g2345617.exe 4880 h2965772.exe 2948 saves.exe 876 i9155140.exe 2924 saves.exe 3204 saves.exe -
Loads dropped DLL 1 IoCs
pid Process 1644 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" g2345617.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a7d5611c9f290c13b3e187e558a162e4fbc0151216d94c3714b7036c9aa216d0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1544785.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1590648.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x6078510.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3412 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 520 g2345617.exe 520 g2345617.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 520 g2345617.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 220 wrote to memory of 3060 220 a7d5611c9f290c13b3e187e558a162e4fbc0151216d94c3714b7036c9aa216d0.exe 84 PID 220 wrote to memory of 3060 220 a7d5611c9f290c13b3e187e558a162e4fbc0151216d94c3714b7036c9aa216d0.exe 84 PID 220 wrote to memory of 3060 220 a7d5611c9f290c13b3e187e558a162e4fbc0151216d94c3714b7036c9aa216d0.exe 84 PID 3060 wrote to memory of 3128 3060 x1544785.exe 85 PID 3060 wrote to memory of 3128 3060 x1544785.exe 85 PID 3060 wrote to memory of 3128 3060 x1544785.exe 85 PID 3128 wrote to memory of 2868 3128 x1590648.exe 86 PID 3128 wrote to memory of 2868 3128 x1590648.exe 86 PID 3128 wrote to memory of 2868 3128 x1590648.exe 86 PID 2868 wrote to memory of 520 2868 x6078510.exe 87 PID 2868 wrote to memory of 520 2868 x6078510.exe 87 PID 2868 wrote to memory of 4880 2868 x6078510.exe 88 PID 2868 wrote to memory of 4880 2868 x6078510.exe 88 PID 2868 wrote to memory of 4880 2868 x6078510.exe 88 PID 4880 wrote to memory of 2948 4880 h2965772.exe 89 PID 4880 wrote to memory of 2948 4880 h2965772.exe 89 PID 4880 wrote to memory of 2948 4880 h2965772.exe 89 PID 3128 wrote to memory of 876 3128 x1590648.exe 90 PID 3128 wrote to memory of 876 3128 x1590648.exe 90 PID 3128 wrote to memory of 876 3128 x1590648.exe 90 PID 2948 wrote to memory of 3412 2948 saves.exe 91 PID 2948 wrote to memory of 3412 2948 saves.exe 91 PID 2948 wrote to memory of 3412 2948 saves.exe 91 PID 2948 wrote to memory of 4148 2948 saves.exe 93 PID 2948 wrote to memory of 4148 2948 saves.exe 93 PID 2948 wrote to memory of 4148 2948 saves.exe 93 PID 4148 wrote to memory of 2188 4148 cmd.exe 95 PID 4148 wrote to memory of 2188 4148 cmd.exe 95 PID 4148 wrote to memory of 2188 4148 cmd.exe 95 PID 4148 wrote to memory of 2700 4148 cmd.exe 96 PID 4148 wrote to memory of 2700 4148 cmd.exe 96 PID 4148 wrote to memory of 2700 4148 cmd.exe 96 PID 4148 wrote to memory of 4144 4148 cmd.exe 97 PID 4148 wrote to memory of 4144 4148 cmd.exe 97 PID 4148 wrote to memory of 4144 4148 cmd.exe 97 PID 4148 wrote to memory of 3408 4148 cmd.exe 98 PID 4148 wrote to memory of 3408 4148 cmd.exe 98 PID 4148 wrote to memory of 3408 4148 cmd.exe 98 PID 4148 wrote to memory of 2920 4148 cmd.exe 99 PID 4148 wrote to memory of 2920 4148 cmd.exe 99 PID 4148 wrote to memory of 2920 4148 cmd.exe 99 PID 4148 wrote to memory of 1084 4148 cmd.exe 100 PID 4148 wrote to memory of 1084 4148 cmd.exe 100 PID 4148 wrote to memory of 1084 4148 cmd.exe 100 PID 2948 wrote to memory of 1644 2948 saves.exe 104 PID 2948 wrote to memory of 1644 2948 saves.exe 104 PID 2948 wrote to memory of 1644 2948 saves.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7d5611c9f290c13b3e187e558a162e4fbc0151216d94c3714b7036c9aa216d0.exe"C:\Users\Admin\AppData\Local\Temp\a7d5611c9f290c13b3e187e558a162e4fbc0151216d94c3714b7036c9aa216d0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544785.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1544785.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1590648.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1590648.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6078510.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6078510.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2345617.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2345617.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2965772.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2965772.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:3412
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2188
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:2700
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:4144
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3408
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:2920
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:1084
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:1644
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9155140.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9155140.exe4⤵
- Executes dropped EXE
PID:876
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:2924
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:3204
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600KB
MD5f84a3c8e449506ea65ccf50b73f2e0ef
SHA1f30efbb9cc043cd10b82be0a240c1e5237a54760
SHA2567f874a616b01fa6d73c07c70d0f7253a032c388cac4d5a4b3df12619b4265ba7
SHA512bd16ce6fca43ac804d04cb88dc228e5492e261d311b498b471cbe87e1a147e260bf0eda6e97a1422e0fa261bd36d7d6917bf114e028232a1a7b02714abe4ebc0
-
Filesize
600KB
MD5f84a3c8e449506ea65ccf50b73f2e0ef
SHA1f30efbb9cc043cd10b82be0a240c1e5237a54760
SHA2567f874a616b01fa6d73c07c70d0f7253a032c388cac4d5a4b3df12619b4265ba7
SHA512bd16ce6fca43ac804d04cb88dc228e5492e261d311b498b471cbe87e1a147e260bf0eda6e97a1422e0fa261bd36d7d6917bf114e028232a1a7b02714abe4ebc0
-
Filesize
433KB
MD59b5e8e8dde8d5209bc884bae1b5b05ea
SHA1eac6586585b6d149e53e8994e15735cf86fc6c0b
SHA2568f16e235c7fd4468146fdb750936c0c1d7180931dc3fc15fbb2d7954f0522b3d
SHA512e4d5b05d154b9f79d0f7968148c703e1bdfdc1ca95c6b94688631a6c5a8f3d91d5c0ab42e87b1fdd7e1d1ec0588d8f69c2f22251244b8658db6a9729d18c19e6
-
Filesize
433KB
MD59b5e8e8dde8d5209bc884bae1b5b05ea
SHA1eac6586585b6d149e53e8994e15735cf86fc6c0b
SHA2568f16e235c7fd4468146fdb750936c0c1d7180931dc3fc15fbb2d7954f0522b3d
SHA512e4d5b05d154b9f79d0f7968148c703e1bdfdc1ca95c6b94688631a6c5a8f3d91d5c0ab42e87b1fdd7e1d1ec0588d8f69c2f22251244b8658db6a9729d18c19e6
-
Filesize
174KB
MD5f33c162da533f520788f6399d929940b
SHA13cdab7ae85e342d475ed405bd88400768ee2e2c0
SHA25627bea6f59f0d97add4e98cc29972863bd4ceb5f545004c008b6bb46c1744c26d
SHA5120e0ba12270f4357e7d4a92ad5229c56919b2e6a45249f2b2517bfb293fad45a194adffa57a8391f5d9b8b82b37ee9d6e471f2e48084e87c3df28156d0f4d59f0
-
Filesize
174KB
MD5f33c162da533f520788f6399d929940b
SHA13cdab7ae85e342d475ed405bd88400768ee2e2c0
SHA25627bea6f59f0d97add4e98cc29972863bd4ceb5f545004c008b6bb46c1744c26d
SHA5120e0ba12270f4357e7d4a92ad5229c56919b2e6a45249f2b2517bfb293fad45a194adffa57a8391f5d9b8b82b37ee9d6e471f2e48084e87c3df28156d0f4d59f0
-
Filesize
277KB
MD5c6a96c53ea6458dd6e578f5aa52fcd52
SHA12272e49d933225285e163d4aee68b98626b225f6
SHA25659d5839ce3b5a83b56060a77c76632b57919778379eb329c03f446af9cf0f870
SHA512935d99172c82178f1b76e2ae0d2e7ccea506d0d28acf652d4ff6b3be17ffcef8c44565e13508ffa22103ab6273029c76d000fe9eff72ec70e90a6683e1c8647a
-
Filesize
277KB
MD5c6a96c53ea6458dd6e578f5aa52fcd52
SHA12272e49d933225285e163d4aee68b98626b225f6
SHA25659d5839ce3b5a83b56060a77c76632b57919778379eb329c03f446af9cf0f870
SHA512935d99172c82178f1b76e2ae0d2e7ccea506d0d28acf652d4ff6b3be17ffcef8c44565e13508ffa22103ab6273029c76d000fe9eff72ec70e90a6683e1c8647a
-
Filesize
15KB
MD54a7a47e2a7825dd2fb3c5098e71dbf39
SHA1a541ea7b631a77f89df910940c6c65c74e5b7a92
SHA2567e42e10a3dc44a24fbea95815746f7aab1d0e337a678bc5d78d6b4fa4509d192
SHA5128eee1c1e66264a101b9590ce76626b8e30acb029010c7da9f59f8a7a5fb4ec015cb24d9c379e68a14a19622c11252bf92bf5fabac38245af7f3d3a3f024aac83
-
Filesize
15KB
MD54a7a47e2a7825dd2fb3c5098e71dbf39
SHA1a541ea7b631a77f89df910940c6c65c74e5b7a92
SHA2567e42e10a3dc44a24fbea95815746f7aab1d0e337a678bc5d78d6b4fa4509d192
SHA5128eee1c1e66264a101b9590ce76626b8e30acb029010c7da9f59f8a7a5fb4ec015cb24d9c379e68a14a19622c11252bf92bf5fabac38245af7f3d3a3f024aac83
-
Filesize
323KB
MD53d2c28b35e759a450dba01a542ef8f2f
SHA14318b0db6ef0240f274e117c5f75d813e9bfd000
SHA256bde8d46008cc34d21e6741c29ce0b352942f2f263904fb92be9bdfc910d4780e
SHA51231f716feb9268d0dbaa9dcfa513921565f908811c0b8b10d952c1595acc8799695b85546f3bf0948f9fc6d061bcc14383cd35ea5d7b04ec0d78bbfbe7a0166ca
-
Filesize
323KB
MD53d2c28b35e759a450dba01a542ef8f2f
SHA14318b0db6ef0240f274e117c5f75d813e9bfd000
SHA256bde8d46008cc34d21e6741c29ce0b352942f2f263904fb92be9bdfc910d4780e
SHA51231f716feb9268d0dbaa9dcfa513921565f908811c0b8b10d952c1595acc8799695b85546f3bf0948f9fc6d061bcc14383cd35ea5d7b04ec0d78bbfbe7a0166ca
-
Filesize
323KB
MD53d2c28b35e759a450dba01a542ef8f2f
SHA14318b0db6ef0240f274e117c5f75d813e9bfd000
SHA256bde8d46008cc34d21e6741c29ce0b352942f2f263904fb92be9bdfc910d4780e
SHA51231f716feb9268d0dbaa9dcfa513921565f908811c0b8b10d952c1595acc8799695b85546f3bf0948f9fc6d061bcc14383cd35ea5d7b04ec0d78bbfbe7a0166ca
-
Filesize
323KB
MD53d2c28b35e759a450dba01a542ef8f2f
SHA14318b0db6ef0240f274e117c5f75d813e9bfd000
SHA256bde8d46008cc34d21e6741c29ce0b352942f2f263904fb92be9bdfc910d4780e
SHA51231f716feb9268d0dbaa9dcfa513921565f908811c0b8b10d952c1595acc8799695b85546f3bf0948f9fc6d061bcc14383cd35ea5d7b04ec0d78bbfbe7a0166ca
-
Filesize
323KB
MD53d2c28b35e759a450dba01a542ef8f2f
SHA14318b0db6ef0240f274e117c5f75d813e9bfd000
SHA256bde8d46008cc34d21e6741c29ce0b352942f2f263904fb92be9bdfc910d4780e
SHA51231f716feb9268d0dbaa9dcfa513921565f908811c0b8b10d952c1595acc8799695b85546f3bf0948f9fc6d061bcc14383cd35ea5d7b04ec0d78bbfbe7a0166ca
-
Filesize
323KB
MD53d2c28b35e759a450dba01a542ef8f2f
SHA14318b0db6ef0240f274e117c5f75d813e9bfd000
SHA256bde8d46008cc34d21e6741c29ce0b352942f2f263904fb92be9bdfc910d4780e
SHA51231f716feb9268d0dbaa9dcfa513921565f908811c0b8b10d952c1595acc8799695b85546f3bf0948f9fc6d061bcc14383cd35ea5d7b04ec0d78bbfbe7a0166ca
-
Filesize
323KB
MD53d2c28b35e759a450dba01a542ef8f2f
SHA14318b0db6ef0240f274e117c5f75d813e9bfd000
SHA256bde8d46008cc34d21e6741c29ce0b352942f2f263904fb92be9bdfc910d4780e
SHA51231f716feb9268d0dbaa9dcfa513921565f908811c0b8b10d952c1595acc8799695b85546f3bf0948f9fc6d061bcc14383cd35ea5d7b04ec0d78bbfbe7a0166ca
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
273B
MD5374bfdcfcf19f4edfe949022092848d2
SHA1df5ee40497e98efcfba30012452d433373d287d4
SHA256224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f
SHA512bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7