Analysis
-
max time kernel
144s -
max time network
157s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-10-2024 12:54
Static task
static1
Behavioral task
behavioral1
Sample
c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe
Resource
win11-20241023-en
General
-
Target
c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe
-
Size
1.2MB
-
MD5
d29f991dff39fe56501f4e530f57f9fc
-
SHA1
33613d88ffee18ce6240032e9134a1ca25e71832
-
SHA256
c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea
-
SHA512
bf9cf8a6e827986d52d49f31995aaa9b40fbfbbafb3624bd0dfe28c72cd1338bfab4e35e8c123c7fba13ce38b79bec6eb59b14c2ac89d934e8a8fb9780d4e581
-
SSDEEP
24576:G8WP6XlIJGBLj1k9E8MK2MipAlFlQoqIhtjrzPnd+DHfsYbvtwgq:goqJG9d8knqlQoqIzPd8Hfsgvn
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral4/files/0x001a00000002abc7-30.dat healer behavioral4/memory/5036-32-0x00000000002D0000-0x00000000002DA000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection az975613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" az975613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" az975613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" az975613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" az975613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" az975613.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 34 IoCs
resource yara_rule behavioral4/memory/2752-55-0x0000000004C90000-0x0000000004CCC000-memory.dmp family_redline behavioral4/memory/2752-57-0x0000000004F40000-0x0000000004F7A000-memory.dmp family_redline behavioral4/memory/2752-117-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-119-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-115-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-113-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-111-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-109-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-107-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-105-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-103-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-101-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-99-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-97-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-95-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-93-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-91-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-89-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-87-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-85-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-83-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-81-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-79-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-77-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-75-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-73-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-71-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-69-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-67-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-65-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-63-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-61-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-59-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral4/memory/2752-58-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 9 IoCs
pid Process 1668 ki334387.exe 4216 ki099472.exe 3332 ki127879.exe 5036 az975613.exe 1096 bu200681.exe 3756 oneetx.exe 2752 cf107942.exe 2820 oneetx.exe 1432 oneetx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" az975613.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ki127879.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ki334387.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ki099472.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki334387.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bu200681.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki127879.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf107942.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki099472.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4120 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5036 az975613.exe 5036 az975613.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5036 az975613.exe Token: SeDebugPrivilege 2752 cf107942.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1096 bu200681.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2760 wrote to memory of 1668 2760 c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe 78 PID 2760 wrote to memory of 1668 2760 c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe 78 PID 2760 wrote to memory of 1668 2760 c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe 78 PID 1668 wrote to memory of 4216 1668 ki334387.exe 79 PID 1668 wrote to memory of 4216 1668 ki334387.exe 79 PID 1668 wrote to memory of 4216 1668 ki334387.exe 79 PID 4216 wrote to memory of 3332 4216 ki099472.exe 80 PID 4216 wrote to memory of 3332 4216 ki099472.exe 80 PID 4216 wrote to memory of 3332 4216 ki099472.exe 80 PID 3332 wrote to memory of 5036 3332 ki127879.exe 81 PID 3332 wrote to memory of 5036 3332 ki127879.exe 81 PID 3332 wrote to memory of 1096 3332 ki127879.exe 82 PID 3332 wrote to memory of 1096 3332 ki127879.exe 82 PID 3332 wrote to memory of 1096 3332 ki127879.exe 82 PID 1096 wrote to memory of 3756 1096 bu200681.exe 83 PID 1096 wrote to memory of 3756 1096 bu200681.exe 83 PID 1096 wrote to memory of 3756 1096 bu200681.exe 83 PID 4216 wrote to memory of 2752 4216 ki099472.exe 84 PID 4216 wrote to memory of 2752 4216 ki099472.exe 84 PID 4216 wrote to memory of 2752 4216 ki099472.exe 84 PID 3756 wrote to memory of 4120 3756 oneetx.exe 85 PID 3756 wrote to memory of 4120 3756 oneetx.exe 85 PID 3756 wrote to memory of 4120 3756 oneetx.exe 85 PID 3756 wrote to memory of 4720 3756 oneetx.exe 87 PID 3756 wrote to memory of 4720 3756 oneetx.exe 87 PID 3756 wrote to memory of 4720 3756 oneetx.exe 87 PID 4720 wrote to memory of 1744 4720 cmd.exe 89 PID 4720 wrote to memory of 1744 4720 cmd.exe 89 PID 4720 wrote to memory of 1744 4720 cmd.exe 89 PID 4720 wrote to memory of 3600 4720 cmd.exe 90 PID 4720 wrote to memory of 3600 4720 cmd.exe 90 PID 4720 wrote to memory of 3600 4720 cmd.exe 90 PID 4720 wrote to memory of 4992 4720 cmd.exe 91 PID 4720 wrote to memory of 4992 4720 cmd.exe 91 PID 4720 wrote to memory of 4992 4720 cmd.exe 91 PID 4720 wrote to memory of 2112 4720 cmd.exe 92 PID 4720 wrote to memory of 2112 4720 cmd.exe 92 PID 4720 wrote to memory of 2112 4720 cmd.exe 92 PID 4720 wrote to memory of 1936 4720 cmd.exe 93 PID 4720 wrote to memory of 1936 4720 cmd.exe 93 PID 4720 wrote to memory of 1936 4720 cmd.exe 93 PID 4720 wrote to memory of 2424 4720 cmd.exe 94 PID 4720 wrote to memory of 2424 4720 cmd.exe 94 PID 4720 wrote to memory of 2424 4720 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe"C:\Users\Admin\AppData\Local\Temp\c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4120
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:1744
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:3600
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:4992
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:1936
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:2820
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:1432
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
852KB
MD5f4d5446b7526a88d296ff84e4bfa576e
SHA132adb32e235180b3b5c6af08258814db484a9ca6
SHA256e5ebec2cbd517d24bce4c8ab411b51551ec1700cbc253db0acc9512d4f2fbaf1
SHA512832ee4d62e735c16c447a00665eca7eac12cad02ebb0875fbbbc5a349bfc4fcebcbea69a2235f63311f688c1d5810b688d4e1fe425b1fbf69fd7c71a1bc6cc1d
-
Filesize
578KB
MD5f97e5dc74a30ee94dcd9308c9a15d629
SHA1aa6f4d56ef656fe46759455cd31c621c449c290c
SHA256e35c7c46ffdb9c2c6fadaa6efa1023d434207e8001a6a6b1868904df955eb3e8
SHA5124ed2494373693007585ff62aded6e5d08b1b081b37452d031dff4ef0fd9a8c3f4b0a45b0454c0d1519057596b50b05b51c8de901ae2cbe088ee286439da1ca85
-
Filesize
353KB
MD5de8348a2854e7a051783fc14fb28b95e
SHA17cf59b54a2f5898b02c66d58899c7585e7423eac
SHA2561c5ba61085c5579040b75e5c05357eb0f0f14ae0265b8941cd38f62a623ed57a
SHA512233c668ca4f8df9e2d603e09fb69647465c1a00fb58c8277585fbd4983cf3c49480b892bc4288eae6d16d2e281c602d69da3fa82b03a249f45eaad16194621ad
-
Filesize
223KB
MD514959501f275d4d39bb38ad94bc50210
SHA14203952ae7f7090a696ccb225a7b23d511887a6e
SHA2567c81324faf9ef8d1dd51c2041f137a0f957f1a517f8a6b1864cac31839091252
SHA5128cd9fc7e75a4c90806fc060c13c1cb844d0238f0a5ad2d73374aabde7a5dc2d97be8bc065eddb9254fefd59f963eb94617dd8e740cd74a013df945cc173b3ef3
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
11KB
MD5b7759166a0f1807b202b45f510c2172e
SHA1ef160ebdf82a6cadd27197fb589a3786e58e3fa5
SHA256825eb1a627f34c3d1fad85cb5904b5ac0fded65f677c5a85fa992e42c450fd99
SHA5125085882d85f2d3ab9fa2c2b3bfbde24072ae732b02529946700df1ee92fbafb0e7d305bf21f6034b44012d310495bc7ebd4826b226685a1cc3790b429d0169ec