Analysis
-
max time kernel
157s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 15:42
Behavioral task
behavioral1
Sample
69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe
Resource
win7-20231130-en
General
-
Target
69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe
-
Size
274KB
-
MD5
4bac373f5df47643c489cb97960b8355
-
SHA1
214c1a15df6d8242abbfd01a6ddb03e91fccac80
-
SHA256
69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae
-
SHA512
ed743812012cf30804520bc7940fe66a513e286e5f43bd8838ccb77dd0b3a4d0aa66343c80f6b41ea8956ef05b74fd98f6146807dfd26737b8054b29f87e3852
-
SSDEEP
6144:XbTirrfykiiUjh6QH/cEOkCybEaQRXr9HNdvOa:XPcrfR6ZnOkx2LIa
Malware Config
Signatures
-
Drops file in Drivers directory 9 IoCs
description ioc Process File created C:\Windows\System32\drivers\U7FeZz7.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\sS5ZoA1ifV.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\hZb9AQdBmHkp.xdu Explorer.EXE File opened for modification C:\Windows\system32\drivers\LPGk0Hb8rmp27Z.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\d4QGIyINeZ8G4.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\SplkBSckZsEg.aoz Explorer.EXE File opened for modification C:\Windows\system32\drivers\Py19ciuUE4MMIn.rqt Explorer.EXE File opened for modification C:\Windows\system32\drivers\bmGHlwiwASffI.sys Explorer.EXE File opened for modification C:\Windows\system32\drivers\xIoIDSzkrhwl.xzr Explorer.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe -
resource yara_rule behavioral2/memory/4100-0-0x0000000000890000-0x000000000091C000-memory.dmp upx behavioral2/memory/4100-11-0x0000000000890000-0x000000000091C000-memory.dmp upx behavioral2/memory/4100-17-0x0000000000890000-0x000000000091C000-memory.dmp upx behavioral2/memory/4100-20-0x0000000000890000-0x000000000091C000-memory.dmp upx behavioral2/memory/4100-43-0x0000000000890000-0x000000000091C000-memory.dmp upx behavioral2/memory/4100-68-0x0000000000890000-0x000000000091C000-memory.dmp upx -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 223.5.5.5 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
resource yara_rule behavioral2/files/0x000500000002272f-89.dat vmprotect behavioral2/files/0x000b00000002272f-117.dat vmprotect behavioral2/files/0x001300000002272f-145.dat vmprotect behavioral2/files/0x0006000000023133-173.dat vmprotect -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\2IKhi9fq3x.ooa Explorer.EXE File opened for modification C:\Windows\system32\sER2c8anygtj.atm Explorer.EXE File opened for modification C:\Windows\system32\u21MpWXh2eeRWT.uhi Explorer.EXE File opened for modification C:\Windows\system32\ePir2f8ynV1TeW.niw Explorer.EXE File created C:\Windows\system32\ \Windows\System32\1mLvviJ.sys Explorer.EXE File opened for modification C:\Windows\system32\9mmF3MUER0qz.sys Explorer.EXE File opened for modification C:\Windows\system32\eGf2J6oAw4.sys Explorer.EXE File opened for modification C:\Windows\system32\mTZayFsjlcN.sys Explorer.EXE File opened for modification C:\Windows\system32\R5CgfXmsbeU.sys Explorer.EXE -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\MSBuild\manifest.json Explorer.EXE File opened for modification C:\Program Files\MSBuild\lib\646f0627.js Explorer.EXE File opened for modification C:\Program Files (x86)\mSZyp7kzpXBPqO.bpm Explorer.EXE File opened for modification C:\Program Files\9NJKE76RPKnw.sys Explorer.EXE File opened for modification C:\Program Files\1u3CT0fPoC1K.btq Explorer.EXE File opened for modification C:\Program Files\f5CUCniPrF.wvq Explorer.EXE File opened for modification C:\Program Files\mA9B9YaOsNqC.sys Explorer.EXE File opened for modification C:\Program Files (x86)\oo7DsU97NXz6.exr Explorer.EXE File opened for modification C:\Program Files\HZPUle5Qr9.sys Explorer.EXE File opened for modification C:\Program Files\MSBuild\47bd0465.html Explorer.EXE File opened for modification C:\Program Files\DmwFLupC8fKkMA.sys Explorer.EXE File opened for modification C:\Program Files (x86)\3ZGvGLhEEsFI.pgi Explorer.EXE File opened for modification C:\Program Files\MSBuild\56160546.js Explorer.EXE File opened for modification C:\Program Files (x86)\wWeYyGqo3ygx.sys Explorer.EXE File opened for modification C:\Program Files (x86)\ScXObMqnfU5M.zet Explorer.EXE File opened for modification C:\Program Files (x86)\ZrJg9IsJ3zDZJ.sys Explorer.EXE File opened for modification C:\Program Files\MSBuild\39640384.js Explorer.EXE File opened for modification C:\Program Files\GOmOqlVX0q.bzb Explorer.EXE File opened for modification C:\Program Files (x86)\js5DAENaJnVmL.sys Explorer.EXE File opened for modification C:\Program Files\2godp7kif8g.uce Explorer.EXE File opened for modification C:\Program Files (x86)\SjnmwrU38Ot1.sys Explorer.EXE -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\err_4100.log 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe File created C:\Windows\lngYHck.sys Explorer.EXE File opened for modification C:\Windows\YM5fwb9xAIGSt5.sys Explorer.EXE File opened for modification C:\Windows\ZleNaTtsqI.qfz Explorer.EXE File opened for modification C:\Windows\mzwlAIbYfbMcs.sys Explorer.EXE File opened for modification C:\Windows\dzwHPKqrXh0.sys Explorer.EXE File opened for modification C:\Windows\Po73k5EZf0z2n.wmo Explorer.EXE File opened for modification C:\Windows\82GdkTtyV4JR.sys Explorer.EXE File opened for modification C:\Windows\HjXmILXUrL3.tno Explorer.EXE File opened for modification C:\Windows\XYanE8zcuv2.iko Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 Explorer.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 Explorer.EXE Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Explorer.EXE -
Delays execution with timeout.exe 1 IoCs
pid Process 4048 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3376 Explorer.EXE -
Suspicious behavior: LoadsDriver 59 IoCs
pid Process 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe Token: SeTcbPrivilege 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe Token: SeDebugPrivilege 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe Token: SeDebugPrivilege 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe Token: SeDebugPrivilege 3376 Explorer.EXE Token: SeDebugPrivilege 3376 Explorer.EXE Token: SeDebugPrivilege 3376 Explorer.EXE Token: SeIncBasePriorityPrivilege 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeDebugPrivilege 3376 Explorer.EXE Token: SeBackupPrivilege 3376 Explorer.EXE Token: SeDebugPrivilege 3376 Explorer.EXE Token: SeDebugPrivilege 1012 dwm.exe Token: SeBackupPrivilege 1012 dwm.exe Token: SeShutdownPrivilege 1012 dwm.exe Token: SeCreatePagefilePrivilege 1012 dwm.exe Token: SeShutdownPrivilege 1012 dwm.exe Token: SeCreatePagefilePrivilege 1012 dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3376 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3376 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4100 wrote to memory of 3376 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 52 PID 4100 wrote to memory of 3376 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 52 PID 4100 wrote to memory of 3376 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 52 PID 4100 wrote to memory of 3376 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 52 PID 4100 wrote to memory of 3376 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 52 PID 4100 wrote to memory of 620 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 3 PID 4100 wrote to memory of 620 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 3 PID 4100 wrote to memory of 620 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 3 PID 4100 wrote to memory of 620 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 3 PID 4100 wrote to memory of 620 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 3 PID 4100 wrote to memory of 724 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 105 PID 4100 wrote to memory of 724 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 105 PID 4100 wrote to memory of 724 4100 69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe 105 PID 724 wrote to memory of 4048 724 cmd.exe 107 PID 724 wrote to memory of 4048 724 cmd.exe 107 PID 724 wrote to memory of 4048 724 cmd.exe 107 PID 3376 wrote to memory of 1012 3376 Explorer.EXE 9 PID 3376 wrote to memory of 1012 3376 Explorer.EXE 9 PID 3376 wrote to memory of 1012 3376 Explorer.EXE 9 PID 3376 wrote to memory of 1012 3376 Explorer.EXE 9 PID 3376 wrote to memory of 1012 3376 Explorer.EXE 9 PID 3376 wrote to memory of 1012 3376 Explorer.EXE 9
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe"C:\Users\Admin\AppData\Local\Temp\69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\69e17a9252a663a2a70b7827651c9591c7ac8d088fae572ced13a2350a29c0ae.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:4048
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
Filesize2KB
MD59ba47a279b7950e198b6076171704bd8
SHA12d40167fb1cffc590d18f00b6ae5a22a7ba2bcab
SHA2561d855e013b588989a67757730de9fef0ae45fba49359eeeb9ca7ce03089f75c6
SHA512d048eb90cc64e568aa36c857a19ab9d4ebbb829716ec397d91fe92ab7cf0e5addbb2928cabfdec043ed46db02b2705a079668184474c08f5e7e57d58122d83c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD5b3e886f0a26b67c1234b30c755341758
SHA18a881fb559672e95834def740fc5ba017879b0db
SHA256808b71ea8048ef6e5014fbd1dedbd496516bf963107c8dff13a53d807c60686f
SHA51266f612ae244a65d623617290f58bd01b8db16fcb98d9b60dca78adc7b2371bfff0ad03dbb244def434e8f243efcef37337a39a30871c64dcd1f6db6e57f50524
-
Filesize
599B
MD53fefedd2d651734aab0aff2f8161db56
SHA1eda0d013d0db080e6477965234bf4db2aceb215e
SHA2564a2a561a396876d9ef6387f7f5394313a82d06945aae92d672a39b3db8cc5f01
SHA5120ac825bf61b063f64e93eb4638ebeb63457309068e8a8ac27ea15b79c0ae7968ec1db6df757d74d9350abfd262d2a834ab54ee47f8d04dbb6451f7133072a56e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A
Filesize484B
MD50a38657816f619c5e9b0ad5348a4fd2d
SHA1d2934dadb324225b475564ca6e5d66a5567a5bbc
SHA256130270d62ca1374d32cc0bae4b06b7c404c8267821a50196daaa396344682130
SHA5127e9614021720a063e7a7fa941c1119c2550360650897e22462252d7d9b1e3fa90d9919893aa0231cb241ecab8014bbb004eedffda33596d9e78611390c334bcb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5cd461e7af7c0feaf7b1a2d7c2e092260
SHA1c2fbfa21d16ee7cf445e4bb6d3d93cf897f0e6b9
SHA256a2d70cf14d2cc82b0939906a572d6b1aad9cecb564ffb3e31a79b2f05e283ef9
SHA512a01efb2fd486fba95101f03b98b861172fafa25c0c0db341047922cca001f9663fd1e6d70588a8c8a224ebdb707e334746b362f425a2961ee7db9f76972f5135
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4
Filesize504B
MD5ecbd6d4a03dacc3156cf4f73118415ca
SHA1391c30392f5786820a728749c5a89ded447d3100
SHA2565381ced44ac6caffdc14c7f261626dec00286ac721604d7ba22c04779554661a
SHA5121aa67b3ea9d15658a54f9e28c1294b8d2682893dc88eea8e6cfbbe67458caa44ee9d219532a94e10b532e7f0f395a7d22fb57f2fbc02d10db1a9443c391deb5a
-
Filesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9
-
Filesize
447KB
MD5b1e7c4de63a2c140e8fa7587ed419df4
SHA1e7d49903edbb94e55a33342fb8bfc0f93393c311
SHA256fdab20951de2e1e0f962d7a69a16f2f58e680b94b4b3de492fa3b8759cd26fb7
SHA512c1871dca63679fdb87c9285fd0181a8f1d28152401700ad0035360512f4c12755909b5c5183288b8795a45cdc1d888ef4ecb338b93e3ae66ce1c8803c7e94acd
-
Filesize
415KB
MD5e179596389b3702069974c7874582da7
SHA1ab682eda3200c0c25547fe2e41aa06bafc44a7e5
SHA25616a1c8883671c158ddda399a6abdd0978c33975542e3ad76de830e306b160f12
SHA512be87433a0b0dc11bced4763b614325b3c2d51f391a682af067406e572e6172a75fcd2030d7cb0445db22eceece44869185a89d0d0c5f6ba2233bca09fe9fa987
-
Filesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c