Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26/09/2024, 02:02
Static task
static1
Behavioral task
behavioral1
Sample
922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3.msi
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3.msi
Resource
win10v2004-20240802-en
General
-
Target
922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3.msi
-
Size
2.2MB
-
MD5
bbf5cd6b084221a207c6d4948b48cf52
-
SHA1
6c4560eb2358f2a0041e1db56bcce232fb13d20d
-
SHA256
922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3
-
SHA512
09f6eb8582c170fb5bd01d5f9f57697d5c3e011df1790ddc44cff2c15a7df35d2c7273f68ffef7a54e45c72e99299ddf048ea65696a9eaf70df7d6005ab5e328
-
SSDEEP
49152:FEiJT5NKpt6ikhfxm2C6VQQQe/dJLXgiTRsanWzywHB5PML5YmbK:FEiJVNut6zhfxo6aArs1yg5P4bK
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSOneDrive = "C:\\Users\\Admin\\AppData\\Local\\MsOneDrive\\client32.exe" reg.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 2 4676 msiexec.exe 6 4676 msiexec.exe 10 4676 msiexec.exe 12 4676 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIA3D1.tmp msiexec.exe File created C:\Windows\Installer\e57a2ca.msi msiexec.exe File created C:\Windows\Installer\e57a2c8.msi msiexec.exe File opened for modification C:\Windows\Installer\e57a2c8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{5FE62CC3-0C02-41FE-96AE-EEEECA11AE27} msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2620 client32.exe -
Loads dropped DLL 6 IoCs
pid Process 2620 client32.exe 2620 client32.exe 2620 client32.exe 2620 client32.exe 2620 client32.exe 2620 client32.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4676 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e7a671f193ce7b7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e7a671f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e7a671f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de7a671f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e7a671f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2532 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3392 msiexec.exe 3392 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4676 msiexec.exe Token: SeIncreaseQuotaPrivilege 4676 msiexec.exe Token: SeSecurityPrivilege 3392 msiexec.exe Token: SeCreateTokenPrivilege 4676 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4676 msiexec.exe Token: SeLockMemoryPrivilege 4676 msiexec.exe Token: SeIncreaseQuotaPrivilege 4676 msiexec.exe Token: SeMachineAccountPrivilege 4676 msiexec.exe Token: SeTcbPrivilege 4676 msiexec.exe Token: SeSecurityPrivilege 4676 msiexec.exe Token: SeTakeOwnershipPrivilege 4676 msiexec.exe Token: SeLoadDriverPrivilege 4676 msiexec.exe Token: SeSystemProfilePrivilege 4676 msiexec.exe Token: SeSystemtimePrivilege 4676 msiexec.exe Token: SeProfSingleProcessPrivilege 4676 msiexec.exe Token: SeIncBasePriorityPrivilege 4676 msiexec.exe Token: SeCreatePagefilePrivilege 4676 msiexec.exe Token: SeCreatePermanentPrivilege 4676 msiexec.exe Token: SeBackupPrivilege 4676 msiexec.exe Token: SeRestorePrivilege 4676 msiexec.exe Token: SeShutdownPrivilege 4676 msiexec.exe Token: SeDebugPrivilege 4676 msiexec.exe Token: SeAuditPrivilege 4676 msiexec.exe Token: SeSystemEnvironmentPrivilege 4676 msiexec.exe Token: SeChangeNotifyPrivilege 4676 msiexec.exe Token: SeRemoteShutdownPrivilege 4676 msiexec.exe Token: SeUndockPrivilege 4676 msiexec.exe Token: SeSyncAgentPrivilege 4676 msiexec.exe Token: SeEnableDelegationPrivilege 4676 msiexec.exe Token: SeManageVolumePrivilege 4676 msiexec.exe Token: SeImpersonatePrivilege 4676 msiexec.exe Token: SeCreateGlobalPrivilege 4676 msiexec.exe Token: SeBackupPrivilege 4380 vssvc.exe Token: SeRestorePrivilege 4380 vssvc.exe Token: SeAuditPrivilege 4380 vssvc.exe Token: SeBackupPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeRestorePrivilege 3392 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4676 msiexec.exe 4676 msiexec.exe 2620 client32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3392 wrote to memory of 4576 3392 msiexec.exe 92 PID 3392 wrote to memory of 4576 3392 msiexec.exe 92 PID 3392 wrote to memory of 2532 3392 msiexec.exe 95 PID 3392 wrote to memory of 2532 3392 msiexec.exe 95 PID 3392 wrote to memory of 2620 3392 msiexec.exe 94 PID 3392 wrote to memory of 2620 3392 msiexec.exe 94 PID 3392 wrote to memory of 2620 3392 msiexec.exe 94 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4676
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4576
-
-
C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe"C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2620
-
-
C:\Windows\system32\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v MSOneDrive /t REG_SZ /d "C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe"2⤵
- Adds Run key to start application
- Modifies registry key
PID:2532
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4380
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD58bdb64e1e7c7a1ea1b0a80ec0e79a655
SHA198d383cc9f08cdabc846cdccedcd7bb02a9c2c70
SHA256b3c7b4a036a871e2b59bb1a5d32a2fbff84ac2537a1bc8378a9f2ac2cc995703
SHA512f15636ba7d08850f618b301c2bd1656c948c60ae291d93a4ad9da3dab7a1a5869cb639e4341b37d389836fbf1f589ca2894cbf79354de48198f00cbb0b9458f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5
Filesize1KB
MD5d0412981888317bab9a04146957f3573
SHA1933b8dd26c04196f28932b578f209736717ed85a
SHA256dc2bf8a6ed4da7c429c8893f061b532e8d33e16f0e3e8fb4a4bb7195a2daccdf
SHA512c427548bbaf8313834af55d641b2c736dc3c0e8e62014980e8c54894586176fdaed4c94a65a9c0e8e5162f080bb16694bc13267a2e98615bf826a1623695311c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B03113490075047F519A3F760F0FF379_EAA7EAA3882323A05D27C396DC25384C
Filesize2KB
MD5830f23aac335fdb9ee36cea170f4d4f5
SHA12db892d01fd2b2936666c8f4bade59a98e8abf88
SHA256304094b2b4556837950512f2b174c48ccbecf75dc6eef9c1180a0f4154c97055
SHA5122d0b7f380c16661547042175fc1acebdc170e6c6a149612b2602d7d4d7495b2d44186a6cd66ba95f8a5150881573a2dcee3443cce89fe93da7008bd65b1f153e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5
Filesize412B
MD5606daf9f63f90940541f33f239513acd
SHA19881b04b8b2a686f2735844176743480c8136ee5
SHA25625d4fe2e1bb18cad85e24cef9faad494471270ff88aaad459979d87d9a42543f
SHA5126846184d5450d3e986c74cb105eae0ef7bbc7bb076a0d1d49fc4d4bada843cf10fdd6a4aeb137adac61ecd606de3bf11dc2931dc2178d0e586ddf09477b846f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B03113490075047F519A3F760F0FF379_EAA7EAA3882323A05D27C396DC25384C
Filesize428B
MD5e574f29c58cc2674044c77b4a774d92d
SHA189e4c28d98c3f9092cc5b99dab681c9ab4917a75
SHA2565dcc486b8c29cfa04464a3556d3b92649ab76d45e10f6feecf7576e1aefc8061
SHA51229f5cf48bff6b197bef791dde32a061f7a2d9664def3c969e2c7da4f442a8138a59ab98b4b9a684b4077fb209508fdf53ce51bc738b8a0f981a67bd43610236c
-
Filesize
306KB
MD53eed18b47412d3f91a394ae880b56ed2
SHA11b521a3ed4a577a33cce78eee627ae02445694ab
SHA25613a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f
SHA512835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
262B
MD5b9956282a0fed076ed083892e498ac69
SHA1d14a665438385203283030a189ff6c5e7c4bf518
SHA256fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc
SHA5127daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb
-
Filesize
44KB
MD59daa86d91a18131d5caf49d14fb8b6f2
SHA16b2f7ceb6157909e114a2b05a48a1a2606b5caf1
SHA2561716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557
SHA5129a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa
-
Filesize
27KB
MD5e311935a26ee920d5b7176cfa469253c
SHA1eda6c815a02c4c91c9aacd819dc06e32ececf8f0
SHA2560038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e
SHA51248164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c
-
Filesize
3.3MB
MD5f782c24a376285c9b8a3a116175093f8
SHA1b8fdb6e95c7313cf31f14a3a31cc334b56e6df09
SHA256c7baf1647f6fef1b1a4231c9743f20f7a4b524ca4eb987a0acbeeef7e037d7e3
SHA512256385a6663dcf70a5a9a1b766d1f826760f07efa9b9248047dc43d41f6a9f4dd56ca2b218c222ea1d441e2f7ba9bb114cde6954827b9761ebb1f23bba7ad1bb
-
Filesize
104KB
MD5f6abef857450c97ea74cd8f0eb9a8c0a
SHA1a1acdd10f5a8f8b086e293c6a60c53630ad319fb
SHA256db0acb4a3082edc19ca9a78b059258ea36b4be16eee4f1172115fc83e693a903
SHA512b6a2196ebfa51bb3fb8fb2b95ad5275828ab5435fd859fc993e2b3ed92a74799fe1c8b178270f99c79432f39aa9dbc0090038f037fcb651ab75c14b18102671f
-
Filesize
664B
MD514f6ebed5e1176f17c18d00a2dc64b2e
SHA1cb9c079373658ce098e1d07d4a2c997bf3141b4b
SHA256d4c1f00382f01abbb3142ef6d9c3e51557d0ced12a52861d8c5df44d1ce723ac
SHA512e5f24a695749d693e873ea60b8caaff5cb3b306887721e3f9f308afe697fba37f3a6226322aedebb46764d6bbbaf21df44d4c6a02db49b067437d7e7d0cceaf9
-
Filesize
2.2MB
MD5bbf5cd6b084221a207c6d4948b48cf52
SHA16c4560eb2358f2a0041e1db56bcce232fb13d20d
SHA256922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3
SHA51209f6eb8582c170fb5bd01d5f9f57697d5c3e011df1790ddc44cff2c15a7df35d2c7273f68ffef7a54e45c72e99299ddf048ea65696a9eaf70df7d6005ab5e328
-
Filesize
23.7MB
MD5a168d288ec4ddca59252fb63b1634543
SHA150485c9e2b7c2d31f78a16371db2499150ac8fac
SHA25637f3d5960a3a5beb82c00bb98330a7c8f61bbf84ce94858e54224884a0ba9a74
SHA5125c5b6e7a706dc02fb8f525098ac89ceea75265cca7574d4162b38f3a22c15209d088bb6582ccd0e31792ed98d57924c67b694b72f2d1cedc0a00c5ee943b0eee
-
\??\Volume{f171a6e7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b298bd3d-b913-47de-9152-2f84f1164f1e}_OnDiskSnapshotProp
Filesize6KB
MD578d330358eb4003685b810878f737bf0
SHA1f6e1c88225c001dececa075d9e12bc28d5b00902
SHA2560dfa0299bf99d3e5484da6c3169d09b4a9d1a460ea29a5183d7759599f0d9e96
SHA512f1a745b40d93e5b36ab9e4dccd15e6fc1633e400300bac3717e2e83f74c3e0deab04fabe90e08fdd433e5ce2909e4996e3153b84a7d5c5d1d9a4cd951fa76347