Malware Analysis Report

2024-11-30 21:38

Sample ID 231230-z1bcpscaa2
Target 1c8d867908c6052eedb3348099a8fcb3
SHA256 f9410899b470ab8ef0284c3f937805591d4fd278bf34801dcf0ae377d70e050c
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9410899b470ab8ef0284c3f937805591d4fd278bf34801dcf0ae377d70e050c

Threat Level: Known bad

The file 1c8d867908c6052eedb3348099a8fcb3 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 21:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 21:10

Reported

2024-01-04 08:46

Platform

win7-20231129-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 21:10

Reported

2024-01-04 08:47

Platform

win10v2004-20231215-en

Max time kernel

156s

Max time network

217s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c8d867908c6052eedb3348099a8fcb3.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\qXK6\\cmstp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hDlK4cIQJ\sessionmsg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pcDZT5Yiq\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\i1fyzGDUO\eudcedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 632 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3452 wrote to memory of 632 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3452 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\hDlK4cIQJ\sessionmsg.exe
PID 3452 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\hDlK4cIQJ\sessionmsg.exe
PID 3452 wrote to memory of 4400 N/A N/A C:\Windows\system32\cmstp.exe
PID 3452 wrote to memory of 4400 N/A N/A C:\Windows\system32\cmstp.exe
PID 3452 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\pcDZT5Yiq\cmstp.exe
PID 3452 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\pcDZT5Yiq\cmstp.exe
PID 3452 wrote to memory of 3592 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3452 wrote to memory of 3592 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3452 wrote to memory of 1016 N/A N/A C:\Users\Admin\AppData\Local\i1fyzGDUO\eudcedit.exe
PID 3452 wrote to memory of 1016 N/A N/A C:\Users\Admin\AppData\Local\i1fyzGDUO\eudcedit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c8d867908c6052eedb3348099a8fcb3.dll,#1

C:\Windows\system32\sessionmsg.exe

C:\Windows\system32\sessionmsg.exe

C:\Users\Admin\AppData\Local\hDlK4cIQJ\sessionmsg.exe

C:\Users\Admin\AppData\Local\hDlK4cIQJ\sessionmsg.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Users\Admin\AppData\Local\pcDZT5Yiq\cmstp.exe

C:\Users\Admin\AppData\Local\pcDZT5Yiq\cmstp.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\i1fyzGDUO\eudcedit.exe

C:\Users\Admin\AppData\Local\i1fyzGDUO\eudcedit.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp

Files

memory/5116-0-0x0000000140000000-0x0000000140342000-memory.dmp

memory/5116-1-0x000001C9D5890000-0x000001C9D5897000-memory.dmp

memory/3452-4-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3452-8-0x00007FFCE34BA000-0x00007FFCE34BB000-memory.dmp

memory/3452-9-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-10-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-11-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-12-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-13-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-14-0x0000000140000000-0x0000000140342000-memory.dmp

memory/5116-7-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-15-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-17-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-18-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-16-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-19-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-20-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-21-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-22-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-23-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-6-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-24-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-26-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-27-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-25-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-28-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-29-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-30-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-33-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-34-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-35-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-36-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-37-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-32-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-31-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-39-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-40-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-38-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-41-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-42-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-43-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-44-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-45-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-46-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-47-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-48-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-50-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-52-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-54-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-57-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-58-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-56-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-59-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-60-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-55-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-61-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-62-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-63-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-65-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-64-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-53-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-51-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-49-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3452-74-0x0000000000720000-0x0000000000727000-memory.dmp

memory/3452-83-0x00007FFCE41A0000-0x00007FFCE41B0000-memory.dmp

C:\Users\Admin\AppData\Local\hDlK4cIQJ\DUI70.dll

MD5 790a699c0cf8160110b5736487daeb01
SHA1 c0635c3b3709b7b81f374b304785e207d8cf1a15
SHA256 d1d04b179c92e28ce1f5af139b205c8654f58eafd6c37a79cab84822b6f4f378
SHA512 3fb55e4b7085c2b8a5746764708c773fa3d08e376d7fa9975df94ded6b4d04aa5ac93a1c1c3cf90d81e6fb07eceecb2e56fef9e19af69d698d76bb6ff4fa9d3f

memory/2752-103-0x0000023839450000-0x0000023839457000-memory.dmp

C:\Users\Admin\AppData\Local\hDlK4cIQJ\DUI70.dll

MD5 2cc4628a99d70ff9df76504bb6451463
SHA1 9368e8ed16ad102b7c396698d787a21b91b76b08
SHA256 2da1620d0d9c1a4c262572f0f96825519594aa6183522f774025e83428b3ab17
SHA512 52045be8a70589a503075452b73fbfa3189ad8ee648f02903caa3f9ad2b85908a24f8323b4220efc5ae455a4b6f090a95748738e7dd61b73ed77ac290a99b716

C:\Users\Admin\AppData\Local\hDlK4cIQJ\sessionmsg.exe

MD5 480f710806b68dfe478ca1ec7d7e79cc
SHA1 b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA256 2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA512 29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

C:\Users\Admin\AppData\Local\pcDZT5Yiq\VERSION.dll

MD5 c58849952a80c2de27647948be65def9
SHA1 ab3efa03968050169f6ac627fd3196ca4444acbb
SHA256 73cdd94bc744fa1299e38e608d025b66b9d09d33c84f0d7fe0ea12a1422a377a
SHA512 fa33204fc4bde02b07848041beb3e5edd266d08a775a014433b47971eb6626d687eede2ae8cfa52a9faf5104ceef91899b4ce1c90cbb3b4a6767148645fe1767

C:\Users\Admin\AppData\Local\pcDZT5Yiq\VERSION.dll

MD5 7dccb709e3b91b2cb1c01f07407b8d9d
SHA1 f9169049642d3d4cfcdca5a0a99478667bdd3208
SHA256 f83ca591b12232a5e0353f53ef82135134f8c1c748042bf226d76e601871494e
SHA512 f29984281b03ea705d58747a813ba1c35f2cff6cb90baccba7f17086a5b5f5a0c0858d3dc8f66ce57026e9c154f46968cbad2b8794e0a2ddce6037f7dc09ff0e

C:\Users\Admin\AppData\Local\pcDZT5Yiq\VERSION.dll

MD5 ae3e36f993ef02fd8bfa7effc8ce46a6
SHA1 95bca4ddaf0048f337a7761f1394246460146415
SHA256 58e06993ef91e95e15a3b7fc1f879da1d86705b29a7d9b5639df3617a626868e
SHA512 92274ea298c0188dd721faf9c0624bc493f08dee4e20033265bb8fd3241f49ac63cbf74880f34072b3c959f687012f9b0ce5a40a6b69a0979111d890b934cfc8

memory/752-123-0x00000267EF300000-0x00000267EF643000-memory.dmp

memory/752-125-0x00000267EF350000-0x00000267EF357000-memory.dmp

C:\Users\Admin\AppData\Local\pcDZT5Yiq\cmstp.exe

MD5 4cc43fe4d397ff79fa69f397e016df52
SHA1 8fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256 f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512 851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

C:\Users\Admin\AppData\Local\i1fyzGDUO\MFC42u.dll

MD5 f537d0037bc7dcc9596c31d6b1f9e74f
SHA1 83fba525da88cbea58ad4749fb7a3c57d19bb1c1
SHA256 da8fc10cd2bfc4c05de4a707ac15c2b110707b1060ac64bb93f3b6dba3877cd7
SHA512 80ef256ee4aeae262adbe460b1707cd854cdc463bb54b7af42d9c391e27631011a862c8807b4a7300597b07d5b7f9fdb993e2cc38409af9b190915d6fabc77ad

C:\Users\Admin\AppData\Local\i1fyzGDUO\MFC42u.dll

MD5 98c15fc42f27a02e1b7d3f2bce9778b1
SHA1 32ce60c00bc30b78b63cd94e659cb608b92cc91d
SHA256 fd214af279053e5fff09e7cc6bd058707443b4a86f55ed394f22fec4a7bbf8a3
SHA512 9a6c4ebb1b7ccd3812a6869d2d40fb5ec1341e2b616e8fcef69f0325cc86c8775fd83b0663a0ed43bbd1de8223e921c39e6bc4c836da9bc83b7b8e48078f2362

memory/1016-139-0x0000027890D30000-0x0000027890D37000-memory.dmp

C:\Users\Admin\AppData\Local\i1fyzGDUO\eudcedit.exe

MD5 19668363dc3a17df970bf9982e8f5a16
SHA1 12cff8094e72811ccd4d479f628ff8c774becc16
SHA256 f1ad26b313efa4e2626395ac3b08d113bb45d6f0b517a2b52965b9ec30dcc3c5
SHA512 b968d442945ef4a5749369aeec2a11f0fce145fa431434ed60e8e6d9c1de8008639ebedd8b7eb86f1cba489f7f316c203e84981437a4e897be17d8daec39a5e8

C:\Users\Admin\AppData\Local\i1fyzGDUO\eudcedit.exe

MD5 875be1dd013de3dd17ad67ffc310e7da
SHA1 debd5dd07feae818fc809018436ee0c4e1c0ed53
SHA256 a8e02ba23629283b1c87a64e1418f06ca96122f7f44565b63f60cc2c58106709
SHA512 43fd8277660a0d3ade9057572d85d7cb87caa879742f1cc340501311a2ba6f22fdab05e99541f4f6c6474deeda71a643de753ed05b5a715d3aba061d4fde4f37

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 cec0f950e856e6b4e788f68c746953ae
SHA1 fa53d3c5b7ae7384029f914ae11fcef37f84e55c
SHA256 d783420045096b7a554255fd03afef97faaf7604232efe20fe67672a13a3b16b
SHA512 62629deb1015430c360c9d05b66f937fe3ba816c593217fe36dc51da1ccdaa9bc9abdadb9ac7f236453b7eb975352acd4aa8253b31731bbc65ccadca45beaa5c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\2jb0tomuv\DUI70.dll

MD5 01629637611c35581ffc68f89017055b
SHA1 55e5db252c29126d2200ebb2c9c0bba0144e0e4a
SHA256 665a7c27db3e1d2808d4b54fb29b2d77f258b33092eddbf04e7ccb08be0517d4
SHA512 dac798cd09fd6233cc79ec3389f7059cba1da31ce5c9a18b5ee1e0e71ddab48a2cc3cdef71d13666631effcd0a0912942d8a889e9670da3b581ea3d203599dd2

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\qXK6\VERSION.dll

MD5 3c1b9f7fceef656545ab733d2bb4bcb0
SHA1 fc5a8d5b2b60fc1b8b01a59da9be9169b1f16e5e
SHA256 47a2c9edde0050e6460c1953ba6151826a10021138d80f3fc5d1e98eafabc9a1
SHA512 d2c01676260430f487e6aa98f901d72f397b1fcaf4a775acd8f7aa0ee29eb2487ce35a466176fb50ea2781be10829ac5b4be0120cf9a0498e86d4e57914410ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\SY8\MFC42u.dll

MD5 cb88448881f02fbde12d1c34eecde0a6
SHA1 f46772a4c04d27f6e171b53fa342caf412e062d9
SHA256 1ae3077908ba63c8be292e1d2dc6d0cfff0953829b7e84931547093e1ff9b34e
SHA512 d1c6a6fc26a65edcba4ba1aa83c65f1f057a4182f6e4cfe476267abb0ea49b9037bd45c72f73c8457255f6b9baf7d8f35ce7e2060f71ae871046987270a1acf7