Analysis
-
max time kernel
18s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-01-2024 22:24
Static task
static1
Behavioral task
behavioral1
Sample
afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe
Resource
win10-20231220-en
General
-
Target
afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe
-
Size
360KB
-
MD5
43896f9d956ad83ba3773b98374142f3
-
SHA1
b084817d14218928049a8f9c5bcef646aecc8bb3
-
SHA256
afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e
-
SHA512
96a783129f44a398259fd47a38f1ce50e3ab0c62b3b3c900030a18792a02bbed27f875f7df3ccdaeab3b667f0c5c627496665da14373e1ea21d98b3d6cbc7ffd
-
SSDEEP
6144:3rk3p+t3FksgTOzEV6zs1hfk8MIcG1Zb7d+0PuSCU4CzmJkdVds:bk3pcFkRTOzEV6zs1hfk8oYVd+Dj4mYM
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Sets file execution options in registry 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe kgu1uum7_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "ivu.exe" kgu1uum7_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe kgu1uum7_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "krj.exe" kgu1uum7_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "bjj.exe" kgu1uum7_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kgu1uum7.exe afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kgu1uum7.exe\DisableExceptionChainValidation afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "edd.exe" kgu1uum7_1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe kgu1uum7_1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "egccwxg.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe kgu1uum7_1.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2492 kgu1uum7_1.exe -
Loads dropped DLL 1 IoCs
pid Process 2544 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\kgu1uum7.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\kgu1uum7.exe\"" explorer.exe -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService kgu1uum7_1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus kgu1uum7_1.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kgu1uum7_1.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\ProgramData\Java Updater\desktop.ini explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
pid Process 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2492 kgu1uum7_1.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kgu1uum7_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kgu1uum7_1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2000 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\kgu1uum7_1.exe:1BB7FB68 explorer.exe File created C:\Users\Admin\AppData\Local\Temp\kgu1uum7_1.exe:1BB7FB68 explorer.exe -
Runs regedit.exe 1 IoCs
pid Process 2412 regedit.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2492 kgu1uum7_1.exe 2492 kgu1uum7_1.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeRestorePrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeBackupPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeLoadDriverPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeCreatePagefilePrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeShutdownPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeTakeOwnershipPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeChangeNotifyPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeCreateTokenPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeMachineAccountPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeSecurityPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeAssignPrimaryTokenPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeCreateGlobalPrivilege 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: 33 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe Token: SeDebugPrivilege 2544 explorer.exe Token: SeRestorePrivilege 2544 explorer.exe Token: SeBackupPrivilege 2544 explorer.exe Token: SeLoadDriverPrivilege 2544 explorer.exe Token: SeCreatePagefilePrivilege 2544 explorer.exe Token: SeShutdownPrivilege 2544 explorer.exe Token: SeTakeOwnershipPrivilege 2544 explorer.exe Token: SeChangeNotifyPrivilege 2544 explorer.exe Token: SeCreateTokenPrivilege 2544 explorer.exe Token: SeMachineAccountPrivilege 2544 explorer.exe Token: SeSecurityPrivilege 2544 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2544 explorer.exe Token: SeCreateGlobalPrivilege 2544 explorer.exe Token: 33 2544 explorer.exe Token: SeDebugPrivilege 2492 kgu1uum7_1.exe Token: SeRestorePrivilege 2492 kgu1uum7_1.exe Token: SeBackupPrivilege 2492 kgu1uum7_1.exe Token: SeLoadDriverPrivilege 2492 kgu1uum7_1.exe Token: SeCreatePagefilePrivilege 2492 kgu1uum7_1.exe Token: SeShutdownPrivilege 2492 kgu1uum7_1.exe Token: SeTakeOwnershipPrivilege 2492 kgu1uum7_1.exe Token: SeChangeNotifyPrivilege 2492 kgu1uum7_1.exe Token: SeCreateTokenPrivilege 2492 kgu1uum7_1.exe Token: SeMachineAccountPrivilege 2492 kgu1uum7_1.exe Token: SeSecurityPrivilege 2492 kgu1uum7_1.exe Token: SeAssignPrimaryTokenPrivilege 2492 kgu1uum7_1.exe Token: SeCreateGlobalPrivilege 2492 kgu1uum7_1.exe Token: 33 2492 kgu1uum7_1.exe Token: SeCreatePagefilePrivilege 2492 kgu1uum7_1.exe Token: SeCreatePagefilePrivilege 2492 kgu1uum7_1.exe Token: SeCreatePagefilePrivilege 2492 kgu1uum7_1.exe Token: SeCreatePagefilePrivilege 2492 kgu1uum7_1.exe Token: SeCreatePagefilePrivilege 2492 kgu1uum7_1.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 1476 wrote to memory of 2544 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe 24 PID 1476 wrote to memory of 2544 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe 24 PID 1476 wrote to memory of 2544 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe 24 PID 1476 wrote to memory of 2544 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe 24 PID 1476 wrote to memory of 2544 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe 24 PID 1476 wrote to memory of 2544 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe 24 PID 1476 wrote to memory of 2544 1476 afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe 24 PID 2544 wrote to memory of 1336 2544 explorer.exe 8 PID 2544 wrote to memory of 1336 2544 explorer.exe 8 PID 2544 wrote to memory of 1336 2544 explorer.exe 8 PID 2544 wrote to memory of 1336 2544 explorer.exe 8 PID 2544 wrote to memory of 1336 2544 explorer.exe 8 PID 2544 wrote to memory of 1336 2544 explorer.exe 8 PID 2544 wrote to memory of 1360 2544 explorer.exe 7 PID 2544 wrote to memory of 1360 2544 explorer.exe 7 PID 2544 wrote to memory of 1360 2544 explorer.exe 7 PID 2544 wrote to memory of 1360 2544 explorer.exe 7 PID 2544 wrote to memory of 1360 2544 explorer.exe 7 PID 2544 wrote to memory of 1360 2544 explorer.exe 7 PID 2544 wrote to memory of 1220 2544 explorer.exe 5 PID 2544 wrote to memory of 1220 2544 explorer.exe 5 PID 2544 wrote to memory of 1220 2544 explorer.exe 5 PID 2544 wrote to memory of 1220 2544 explorer.exe 5 PID 2544 wrote to memory of 1220 2544 explorer.exe 5 PID 2544 wrote to memory of 1220 2544 explorer.exe 5 PID 2544 wrote to memory of 2804 2544 explorer.exe 29 PID 2544 wrote to memory of 2804 2544 explorer.exe 29 PID 2544 wrote to memory of 2804 2544 explorer.exe 29 PID 2544 wrote to memory of 2804 2544 explorer.exe 29 PID 2544 wrote to memory of 2804 2544 explorer.exe 29 PID 2544 wrote to memory of 2804 2544 explorer.exe 29 PID 2544 wrote to memory of 2492 2544 explorer.exe 30 PID 2544 wrote to memory of 2492 2544 explorer.exe 30 PID 2544 wrote to memory of 2492 2544 explorer.exe 30 PID 2544 wrote to memory of 2492 2544 explorer.exe 30 PID 2544 wrote to memory of 2492 2544 explorer.exe 30 PID 2544 wrote to memory of 2492 2544 explorer.exe 30 PID 2544 wrote to memory of 2492 2544 explorer.exe 30 PID 2492 wrote to memory of 2412 2492 kgu1uum7_1.exe 33 PID 2492 wrote to memory of 2412 2492 kgu1uum7_1.exe 33 PID 2492 wrote to memory of 2412 2492 kgu1uum7_1.exe 33 PID 2492 wrote to memory of 2412 2492 kgu1uum7_1.exe 33 PID 2492 wrote to memory of 2412 2492 kgu1uum7_1.exe 33 PID 2492 wrote to memory of 2412 2492 kgu1uum7_1.exe 33 PID 2492 wrote to memory of 2412 2492 kgu1uum7_1.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe"C:\Users\Admin\AppData\Local\Temp\afacb2632d8784016af274fe18140dd4edc038a89e3837b8570a73dc1a1b856e.exe"1⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\kgu1uum7_1.exe/suac3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\kgu1uum7.exe" /RL HIGHEST4⤵
- Creates scheduled task(s)
PID:2000
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\SysWOW64\regedit.exe"4⤵
- Runs regedit.exe
PID:2412
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1220
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1360
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1336
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2804
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5108653152534ec8d1f993f1aaf9ec871
SHA17267c8b4a59bdefb5c2b8838081b75df0d7f9f6b
SHA256e59b25620aa4bd580f12f12e9e83b748d8499a10537d2aa8b895022b6f54dd6f
SHA512bae50f00354bf8108fe324b7bfec2c961fcbb6ad3febd9f342c102fe759a9b75bddc5d62cc2567a626511c853307b70b25941417abb42dde14c3adf1d4337201
-
Filesize
101KB
MD543ae4396d844c68a97d93de18810d017
SHA1c765bdc0c1ca270064810036e3484efaa83d0522
SHA256b09367d9ce06ac385d5229e2c20031e6897e547c19cffb2159c7f7692aba52ee
SHA512e65d07e16dfd50acec3ceba75ee908aae308fb03e5d69ab6c248fecef29eb655fe08a40f5a7c9219e9cd3e8298e7ffee81c45c7f9c916c337151cd866bbcbcfc
-
Filesize
106KB
MD5bb397abaeec27cf898938dc8ac811ff8
SHA1d2a0bc77723541d8df981df5a1a6e5936ea2f045
SHA256b05d4b0b9a41cd76ee95cccb60a31ccdd9e19be09bd0480dcdf61f78855d6e7e
SHA5124011b5a2d62774dc0f00ba0f2a1480533250ec10ad26008229a37e970a8c6ef4eb43f64d8aed5bdd6af2e73fc2e7d4557cb65c668caff72de395259b3976bbac