Analysis
-
max time kernel
203s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 22:52
Behavioral task
behavioral1
Sample
1f0a89360bb9471af8b2b1136eafd65f.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1f0a89360bb9471af8b2b1136eafd65f.exe
Resource
win10v2004-20231215-en
General
-
Target
1f0a89360bb9471af8b2b1136eafd65f.exe
-
Size
250KB
-
MD5
1f0a89360bb9471af8b2b1136eafd65f
-
SHA1
a7bd3592ff31c5c659cda9810936ddce842d6590
-
SHA256
2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a
-
SHA512
c696ee6a3a65cf01f120724c8536d14bbdc5283e6a62e1a26454629ea30c4015d62c1ba6139ca158f9952d6028ea7d9a1f76a4d2adad4e3a377d06607f5ad031
-
SSDEEP
6144:bAr3VCaIjpP65V3Q400RwDym6flM5OPh2r:bAr3VCMP00RwDymd5Uh2r
Malware Config
Extracted
F:\$RECYCLE.BIN\LOCKFILE-README-VFMDDVWB-1704392489.hta
http-equiv="Content-Type"
http-equiv="x-ua-compatible"
Signatures
-
Detect LockFile payload 2 IoCs
resource yara_rule behavioral2/memory/4916-1-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp family_lockfile behavioral2/memory/4916-92-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp family_lockfile -
LockFile
LockFile is a new ransomware that emerged in July 2021 with ProxyShell vulnerabilties.
-
Renames multiple (341) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral2/memory/4916-0-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp upx behavioral2/memory/4916-1-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp upx behavioral2/memory/4916-92-0x00007FF65A5B0000-0x00007FF65A689000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\an.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\dotnet\host\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Java\jre-1.8\bin\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Google\Chrome\Application\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\System\Ole DB\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_it.properties 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\System\msadc\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\System\it-IT\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Internet Explorer\es-ES\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\rt.jar 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\thaidict.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrenuslm.dat 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\System\Ole DB\en-US\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\getexit.7z 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\classlist 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Java\jdk-1.8\bin\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\descript.ion 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\dotnet\thirdpartynotices.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\System\ado\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File created C:\Program Files\Common Files\microsoft shared\Triedit\LOCKFILE-README-VFMDDVWB-1704392489.hta 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\thirdpartylicensereadme-javafx.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_br.properties 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt 1f0a89360bb9471af8b2b1136eafd65f.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 1f0a89360bb9471af8b2b1136eafd65f.exe -
Kills process with WMI 9 IoCs
pid Process 1700 WMIC.exe 2240 WMIC.exe 2100 WMIC.exe 1404 WMIC.exe 2008 WMIC.exe 3644 WMIC.exe 2760 WMIC.exe 2128 WMIC.exe 4520 WMIC.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2128 WMIC.exe Token: SeSecurityPrivilege 2128 WMIC.exe Token: SeTakeOwnershipPrivilege 2128 WMIC.exe Token: SeLoadDriverPrivilege 2128 WMIC.exe Token: SeSystemProfilePrivilege 2128 WMIC.exe Token: SeSystemtimePrivilege 2128 WMIC.exe Token: SeProfSingleProcessPrivilege 2128 WMIC.exe Token: SeIncBasePriorityPrivilege 2128 WMIC.exe Token: SeCreatePagefilePrivilege 2128 WMIC.exe Token: SeBackupPrivilege 2128 WMIC.exe Token: SeRestorePrivilege 2128 WMIC.exe Token: SeShutdownPrivilege 2128 WMIC.exe Token: SeDebugPrivilege 2128 WMIC.exe Token: SeSystemEnvironmentPrivilege 2128 WMIC.exe Token: SeRemoteShutdownPrivilege 2128 WMIC.exe Token: SeUndockPrivilege 2128 WMIC.exe Token: SeManageVolumePrivilege 2128 WMIC.exe Token: 33 2128 WMIC.exe Token: 34 2128 WMIC.exe Token: 35 2128 WMIC.exe Token: 36 2128 WMIC.exe Token: SeIncreaseQuotaPrivilege 2128 WMIC.exe Token: SeSecurityPrivilege 2128 WMIC.exe Token: SeTakeOwnershipPrivilege 2128 WMIC.exe Token: SeLoadDriverPrivilege 2128 WMIC.exe Token: SeSystemProfilePrivilege 2128 WMIC.exe Token: SeSystemtimePrivilege 2128 WMIC.exe Token: SeProfSingleProcessPrivilege 2128 WMIC.exe Token: SeIncBasePriorityPrivilege 2128 WMIC.exe Token: SeCreatePagefilePrivilege 2128 WMIC.exe Token: SeBackupPrivilege 2128 WMIC.exe Token: SeRestorePrivilege 2128 WMIC.exe Token: SeShutdownPrivilege 2128 WMIC.exe Token: SeDebugPrivilege 2128 WMIC.exe Token: SeSystemEnvironmentPrivilege 2128 WMIC.exe Token: SeRemoteShutdownPrivilege 2128 WMIC.exe Token: SeUndockPrivilege 2128 WMIC.exe Token: SeManageVolumePrivilege 2128 WMIC.exe Token: 33 2128 WMIC.exe Token: 34 2128 WMIC.exe Token: 35 2128 WMIC.exe Token: 36 2128 WMIC.exe Token: SeIncreaseQuotaPrivilege 2100 WMIC.exe Token: SeSecurityPrivilege 2100 WMIC.exe Token: SeTakeOwnershipPrivilege 2100 WMIC.exe Token: SeLoadDriverPrivilege 2100 WMIC.exe Token: SeSystemProfilePrivilege 2100 WMIC.exe Token: SeSystemtimePrivilege 2100 WMIC.exe Token: SeProfSingleProcessPrivilege 2100 WMIC.exe Token: SeIncBasePriorityPrivilege 2100 WMIC.exe Token: SeCreatePagefilePrivilege 2100 WMIC.exe Token: SeBackupPrivilege 2100 WMIC.exe Token: SeRestorePrivilege 2100 WMIC.exe Token: SeShutdownPrivilege 2100 WMIC.exe Token: SeDebugPrivilege 2100 WMIC.exe Token: SeSystemEnvironmentPrivilege 2100 WMIC.exe Token: SeRemoteShutdownPrivilege 2100 WMIC.exe Token: SeUndockPrivilege 2100 WMIC.exe Token: SeManageVolumePrivilege 2100 WMIC.exe Token: 33 2100 WMIC.exe Token: 34 2100 WMIC.exe Token: 35 2100 WMIC.exe Token: 36 2100 WMIC.exe Token: SeIncreaseQuotaPrivilege 2100 WMIC.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4916 wrote to memory of 1912 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 91 PID 4916 wrote to memory of 1912 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 91 PID 1912 wrote to memory of 2128 1912 cmd.exe 92 PID 1912 wrote to memory of 2128 1912 cmd.exe 92 PID 4916 wrote to memory of 456 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 93 PID 4916 wrote to memory of 456 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 93 PID 456 wrote to memory of 2100 456 cmd.exe 94 PID 456 wrote to memory of 2100 456 cmd.exe 94 PID 4916 wrote to memory of 4804 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 95 PID 4916 wrote to memory of 4804 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 95 PID 4804 wrote to memory of 1404 4804 cmd.exe 96 PID 4804 wrote to memory of 1404 4804 cmd.exe 96 PID 4916 wrote to memory of 916 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 97 PID 4916 wrote to memory of 916 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 97 PID 916 wrote to memory of 4520 916 cmd.exe 98 PID 916 wrote to memory of 4520 916 cmd.exe 98 PID 4916 wrote to memory of 460 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 99 PID 4916 wrote to memory of 460 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 99 PID 460 wrote to memory of 2008 460 cmd.exe 100 PID 460 wrote to memory of 2008 460 cmd.exe 100 PID 4916 wrote to memory of 4784 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 101 PID 4916 wrote to memory of 4784 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 101 PID 4784 wrote to memory of 1700 4784 cmd.exe 102 PID 4784 wrote to memory of 1700 4784 cmd.exe 102 PID 4916 wrote to memory of 4248 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 103 PID 4916 wrote to memory of 4248 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 103 PID 4248 wrote to memory of 3644 4248 cmd.exe 104 PID 4248 wrote to memory of 3644 4248 cmd.exe 104 PID 4916 wrote to memory of 1920 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 105 PID 4916 wrote to memory of 1920 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 105 PID 1920 wrote to memory of 2760 1920 cmd.exe 106 PID 1920 wrote to memory of 2760 1920 cmd.exe 106 PID 4916 wrote to memory of 1696 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 107 PID 4916 wrote to memory of 1696 4916 1f0a89360bb9471af8b2b1136eafd65f.exe 107 PID 1696 wrote to memory of 2240 1696 cmd.exe 108 PID 1696 wrote to memory of 2240 1696 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f0a89360bb9471af8b2b1136eafd65f.exe"C:\Users\Admin\AppData\Local\Temp\1f0a89360bb9471af8b2b1136eafd65f.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic process where "name like '%vmwp%'" call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\System32\Wbem\WMIC.exewmic process where "name like '%vmwp%'" call terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic process where "name like '%virtualbox%'" call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\System32\Wbem\WMIC.exewmic process where "name like '%virtualbox%'" call terminate3⤵
- Kills process with WMI
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic process where "name like '%vbox%'" call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\System32\Wbem\WMIC.exewmic process where "name like '%vbox%'" call terminate3⤵
- Kills process with WMI
PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic process where "name like '%sqlservr%'" call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\System32\Wbem\WMIC.exewmic process where "name like '%sqlservr%'" call terminate3⤵
- Kills process with WMI
PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic process where "name like '%mysqld%'" call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\System32\Wbem\WMIC.exewmic process where "name like '%mysqld%'" call terminate3⤵
- Kills process with WMI
PID:2008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic process where "name like '%omtsreco%'" call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\System32\Wbem\WMIC.exewmic process where "name like '%omtsreco%'" call terminate3⤵
- Kills process with WMI
PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic process where "name like '%oracle%'" call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\System32\Wbem\WMIC.exewmic process where "name like '%oracle%'" call terminate3⤵
- Kills process with WMI
PID:3644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic process where "name like '%tnslsnr%'" call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\Wbem\WMIC.exewmic process where "name like '%tnslsnr%'" call terminate3⤵
- Kills process with WMI
PID:2760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic process where "name like '%vmware%'" call terminate2⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\System32\Wbem\WMIC.exewmic process where "name like '%vmware%'" call terminate3⤵
- Kills process with WMI
PID:2240
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD53b1730f640cbf0fab78a94a24a9b0b3e
SHA14e591f36969be38a3412ec0fc69ab67eedd3221d
SHA256132f76829c41a22bf940bc9632b725219203e7835ccbdea401f00d4aad2d1a5a
SHA5127a701c7c18bb08ae0e075145cffb2fee7f550ed64408067d9fee2e4364b13ee396c8231597b6381621a11d61c4872325e270ee6bf474b12625fd58061cc8694b