Analysis
-
max time kernel
353s -
max time network
376s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2024 15:18
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231222-en
General
-
Target
file.exe
-
Size
914KB
-
MD5
12ad4c2b63d32b4579f03992e362f8ef
-
SHA1
c38692667cdfd7f2b8bc67f3d7165f72fba74552
-
SHA256
d699d584b651c6da780801cb6c2fb074464ce36e46b287658913d8bb67d2329b
-
SHA512
c03c47ce05435eeed509021cd844a0530480b9cef30a60d0b7c1c4914b7b425edf86ef78be0e2929d198c5561e69445605d02a10a73a66ba11183f079f500ca0
-
SSDEEP
24576:+am4MROxnFD3wrXYf1rrcI0AilFEvxHPmE7ooj:+OMiJJrrcI0AilFEvxHP
Malware Config
Extracted
orcus
4.tcp.eu.ngrok.io:15428
0133d229c4e24006957c0e4ab3a52531
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
System3222
-
taskscheduler_taskname
System3222
-
watchdog_path
AppData\Sys322.exe
Signatures
-
Orcus main payload 1 IoCs
resource yara_rule behavioral2/files/0x0006000000023217-39.dat family_orcus -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral2/memory/4944-0-0x0000000000EB0000-0x0000000000F9A000-memory.dmp orcus behavioral2/files/0x0006000000023217-39.dat orcus -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Orcus.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Sys322.exe -
Executes dropped EXE 7 IoCs
pid Process 2836 WindowsInput.exe 1596 WindowsInput.exe 372 Orcus.exe 100 Orcus.exe 3272 Sys322.exe 4800 Sys322.exe 3400 Orcus.exe -
Loads dropped DLL 37 IoCs
pid Process 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System3222 = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\"" Orcus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 12 4.tcp.eu.ngrok.io -
Drops file in System32 directory 14 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe.config file.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\SysWOW64\WindowsInput.exe file.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Orcus\Orcus.exe file.exe File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe file.exe File created C:\Program Files (x86)\Orcus\Orcus.exe.config file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4800 Sys322.exe 4800 Sys322.exe 4800 Sys322.exe 372 Orcus.exe 372 Orcus.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe 4800 Sys322.exe 372 Orcus.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 372 Orcus.exe Token: SeDebugPrivilege 3272 Sys322.exe Token: SeDebugPrivilege 4800 Sys322.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 372 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 372 Orcus.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 372 Orcus.exe 2692 mspaint.exe 2988 OpenWith.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4944 wrote to memory of 2836 4944 file.exe 84 PID 4944 wrote to memory of 2836 4944 file.exe 84 PID 4944 wrote to memory of 372 4944 file.exe 86 PID 4944 wrote to memory of 372 4944 file.exe 86 PID 4944 wrote to memory of 372 4944 file.exe 86 PID 372 wrote to memory of 3272 372 Orcus.exe 90 PID 372 wrote to memory of 3272 372 Orcus.exe 90 PID 372 wrote to memory of 3272 372 Orcus.exe 90 PID 3272 wrote to memory of 4800 3272 Sys322.exe 91 PID 3272 wrote to memory of 4800 3272 Sys322.exe 91 PID 3272 wrote to memory of 4800 3272 Sys322.exe 91 PID 372 wrote to memory of 1388 372 Orcus.exe 104 PID 372 wrote to memory of 1388 372 Orcus.exe 104 PID 372 wrote to memory of 1388 372 Orcus.exe 104 PID 1388 wrote to memory of 1980 1388 cmd.exe 106 PID 1388 wrote to memory of 1980 1388 cmd.exe 106 PID 1388 wrote to memory of 1980 1388 cmd.exe 106 PID 1388 wrote to memory of 5116 1388 cmd.exe 108 PID 1388 wrote to memory of 5116 1388 cmd.exe 108 PID 1388 wrote to memory of 5116 1388 cmd.exe 108 PID 1388 wrote to memory of 960 1388 cmd.exe 110 PID 1388 wrote to memory of 960 1388 cmd.exe 110 PID 1388 wrote to memory of 960 1388 cmd.exe 110 PID 372 wrote to memory of 404 372 Orcus.exe 112 PID 372 wrote to memory of 404 372 Orcus.exe 112 PID 372 wrote to memory of 404 372 Orcus.exe 112 PID 404 wrote to memory of 1728 404 cmd.exe 114 PID 404 wrote to memory of 1728 404 cmd.exe 114 PID 404 wrote to memory of 1728 404 cmd.exe 114 PID 404 wrote to memory of 976 404 cmd.exe 115 PID 404 wrote to memory of 976 404 cmd.exe 115 PID 404 wrote to memory of 976 404 cmd.exe 115 PID 404 wrote to memory of 3172 404 cmd.exe 116 PID 404 wrote to memory of 3172 404 cmd.exe 116 PID 404 wrote to memory of 3172 404 cmd.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2836
-
-
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Roaming\Sys322.exe"C:\Users\Admin\AppData\Roaming\Sys322.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 372 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Roaming\Sys322.exe"C:\Users\Admin\AppData\Roaming\Sys322.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 372 "/protectFile"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{386365d9-0e24-4dd9-86b1-ec6db5d8375a}.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\reg.exereg delete HKCR/.exe4⤵PID:1980
-
-
C:\Windows\SysWOW64\reg.exereg delete HKCR/.dll4⤵PID:5116
-
-
C:\Windows\SysWOW64\reg.exereg delete HKCR/*4⤵PID:960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{b64d9d2d-7a9e-41c8-b1f6-90d0ea20240e}.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\reg.exereg delete HKCR/.exe4⤵PID:1728
-
-
C:\Windows\SysWOW64\reg.exereg delete HKCR/.dll4⤵PID:976
-
-
C:\Windows\SysWOW64\reg.exereg delete HKCR/*4⤵PID:3172
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:1596
-
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"1⤵
- Executes dropped EXE
PID:100
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UndoAdd.jpeg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:3952
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2988
-
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"1⤵
- Executes dropped EXE
PID:3400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914KB
MD512ad4c2b63d32b4579f03992e362f8ef
SHA1c38692667cdfd7f2b8bc67f3d7165f72fba74552
SHA256d699d584b651c6da780801cb6c2fb074464ce36e46b287658913d8bb67d2329b
SHA512c03c47ce05435eeed509021cd844a0530480b9cef30a60d0b7c1c4914b7b425edf86ef78be0e2929d198c5561e69445605d02a10a73a66ba11183f079f500ca0
-
Filesize
1KB
MD50672db2ef13237d5cb85075ff4915942
SHA1ad8b4d3eb5e40791c47d48b22e273486f25f663f
SHA2560a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519
SHA51284ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b
-
Filesize
174B
MD50788759f44355b956cae8668aa85bf99
SHA1b6d6596cacdab8a732df173911e231460788ddc9
SHA25622c41c5bf7d98874fc676bd6a14718093f180a9d20f4c70b8601a4144f1ab26c
SHA51206e461beba4a4140a54b8ed14bace096630d30647ec437cf0e58009706a8785b03fff51cf1da857001d482c08ec5d80fc85331ca6bd029a2228040b34fa3e3bf
-
C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\AForge.Video.DirectShow.dll
Filesize60KB
MD517ed442e8485ac3f7dc5b3c089654a61
SHA1d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA5129118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2
-
Filesize
20KB
MD50bd34aa29c7ea4181900797395a6da78
SHA1ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0
-
Filesize
516KB
MD5dde3ec6e17bc518b10c99efbd09ab72e
SHA1a2306e60b74b8a01a0dbc1199a7fffca288f2033
SHA25660a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8
SHA51209a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877
-
Filesize
224KB
MD5314955d214bb02847e7f8607a16ec550
SHA1c471e2948d0cd1d4a11902a134735f00cd78c0c1
SHA25682fd40348eb630313d5032910d021ebd982fdde086fbe73ba8947a6d2cb40357
SHA5120ea2457db279159c1983455eee50a69305a151c012b9948950d038c101efc08a00da1f456a76a4351770684783c2e01a536ea194bb7f586865865d90d6dbb8de
-
C:\Users\Admin\AppData\Roaming\ASystem\lib_0133d229c4e24006957c0e4ab3a52531\ICSharpCode.SharpZipLib.dll
Filesize196KB
MD5c8164876b6f66616d68387443621510c
SHA17a9df9c25d49690b6a3c451607d311a866b131f4
SHA25640b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d
SHA51244a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4
-
Filesize
843KB
MD5bf0ef47bea0139b87d42a449a0240101
SHA137b65cd6830088707be692d4602b10062a46b91a
SHA25607ec44bca9b44de3b22f9d212db3ecc5191201e27e4310d7bb2b199deffbab5a
SHA512830c5b380c844a8490cf482ef4ca4821b6185f5fd204c3edf21de0b449727448835b9cbfb103eb74aa91f05abb7390ed1c0ed5e815a7101d9127fc38382daa8a
-
Filesize
125KB
MD52b44c70c49b70d797fbb748158b5d9bb
SHA193e00e6527e461c45c7868d14cf05c007e478081
SHA2563762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0
-
Filesize
271KB
MD598eb5ba5871acdeaebf3a3b0f64be449
SHA1c965284f60ef789b00b10b3df60ee682b4497de3
SHA256d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2
-
Filesize
338KB
MD5934da0e49208d0881c44fe19d5033840
SHA1a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA25602da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59
-
Filesize
247KB
MD5ffb4b61cc11bec6d48226027c2c26704
SHA1fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA51248aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9
-
Filesize
64KB
MD520aa983bd64aa1f8a37d9e61961eabec
SHA148dfd92883f6b60252ab01e57f8de75d21edf173
SHA256ace8dc565164e7612ed3f964a5d16bdcdda0aac7185ba3639b3b7c6064ca1124
SHA51227560fc2983cde678bc3367563c05452004db9dc2523e30ed43ecc413e1ead0eb5d77152f17bd17c58dfe48b2ff7c1c413b6b4da483a664bab3167e74dc3486d
-
Filesize
1.3MB
MD5ac6acc235ebef6374bed71b37e322874
SHA1a267baad59cd7352167636836bad4b971fcd6b6b
SHA256047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA51272ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081
-
Filesize
646KB
MD582898ed19da89d7d44e280a3ced95e9b
SHA1eec0af5733c642eac8c5e08479f462d1ec1ed4db
SHA2565f4b9f8360764d75c9faaecd94f6d200c54611b33064cd216e363d973dae7c29
SHA512ee7b884ce7d7366ee28fb17721b6c89bd4eba8fb373cdbb483e26a4ed7a74ab5db847513c54704d753d77a7e18b1fb9fee90ed6bbc0540bff702273fda36b682
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad