Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31-10-2024 08:24
Static task
static1
Behavioral task
behavioral1
Sample
167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe
Resource
win7-20241010-en
General
-
Target
167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe
-
Size
583KB
-
MD5
9a107d347610b8a0c9aaf492ed6a5e8d
-
SHA1
26e6dc683a9a4a00a6adf3601a11e5a679ab8b29
-
SHA256
167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5
-
SHA512
ca09f3c4b15e74b678cf6e199f55c6d462e15495226fa915031ee5e36f212d8e1a0814d4841ced27bd06f3de3dbf60c1b809086b4cea5b8bf2692b8de0fe148d
-
SSDEEP
12288:x+azbvt7a3iwbihym2g7XO3LWUQfh4Co:xBzbA+gkE2fh4Co
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1384 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 2168 Logo1_.exe 2888 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe -
Loads dropped DLL 1 IoCs
pid Process 1384 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\Office14\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Offline\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\Purble Place\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe File created C:\Windows\Logo1_.exe 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe 2168 Logo1_.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2188 wrote to memory of 1560 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 30 PID 2188 wrote to memory of 1560 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 30 PID 2188 wrote to memory of 1560 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 30 PID 2188 wrote to memory of 1560 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 30 PID 1560 wrote to memory of 2080 1560 net.exe 32 PID 1560 wrote to memory of 2080 1560 net.exe 32 PID 1560 wrote to memory of 2080 1560 net.exe 32 PID 1560 wrote to memory of 2080 1560 net.exe 32 PID 2188 wrote to memory of 1384 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 33 PID 2188 wrote to memory of 1384 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 33 PID 2188 wrote to memory of 1384 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 33 PID 2188 wrote to memory of 1384 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 33 PID 2188 wrote to memory of 2168 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 34 PID 2188 wrote to memory of 2168 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 34 PID 2188 wrote to memory of 2168 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 34 PID 2188 wrote to memory of 2168 2188 167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe 34 PID 2168 wrote to memory of 2768 2168 Logo1_.exe 36 PID 2168 wrote to memory of 2768 2168 Logo1_.exe 36 PID 2168 wrote to memory of 2768 2168 Logo1_.exe 36 PID 2168 wrote to memory of 2768 2168 Logo1_.exe 36 PID 2768 wrote to memory of 2808 2768 net.exe 38 PID 2768 wrote to memory of 2808 2768 net.exe 38 PID 2768 wrote to memory of 2808 2768 net.exe 38 PID 2768 wrote to memory of 2808 2768 net.exe 38 PID 1384 wrote to memory of 2888 1384 cmd.exe 39 PID 1384 wrote to memory of 2888 1384 cmd.exe 39 PID 1384 wrote to memory of 2888 1384 cmd.exe 39 PID 1384 wrote to memory of 2888 1384 cmd.exe 39 PID 2168 wrote to memory of 2904 2168 Logo1_.exe 40 PID 2168 wrote to memory of 2904 2168 Logo1_.exe 40 PID 2168 wrote to memory of 2904 2168 Logo1_.exe 40 PID 2168 wrote to memory of 2904 2168 Logo1_.exe 40 PID 2904 wrote to memory of 2784 2904 net.exe 42 PID 2904 wrote to memory of 2784 2904 net.exe 42 PID 2904 wrote to memory of 2784 2904 net.exe 42 PID 2904 wrote to memory of 2784 2904 net.exe 42 PID 2168 wrote to memory of 1272 2168 Logo1_.exe 21 PID 2168 wrote to memory of 1272 2168 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe"C:\Users\Admin\AppData\Local\Temp\167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$aD375.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe"C:\Users\Admin\AppData\Local\Temp\167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe"4⤵
- Executes dropped EXE
PID:2888
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD541d5bd106a62b9a38b1c76df058c795d
SHA1f4d66b06c910103c30e24010f380d2d98bd49cab
SHA256a3d71d07d47ca777c1976260894fa8f618a7dc9e5626150b578dd01f722d522f
SHA51246326985ebc5f47fe1542b04b5d78ef58b9fbf3ae7e8f08346b26dbc767eef6a46cebb5d27acc08cb7ce280e814e31032168566d2c2c75f0e0a54745ab976f22
-
Filesize
722B
MD5731d347e32d7aecd4742c7e8830848e1
SHA199c9a5f5a36c12c4588570eb324212770dfd6b4d
SHA256b3dc7b7ad0158956e46557e51f61d1b73e1d7169da16289ff2202722e05fc07c
SHA5129f36eeda0f8f8d54742e6f15dce01ee1fe8c6adbc44c8b18018381661c2be3d3ecd2cfe5016b93be1c3820a9f4eed724124a660076b6aeb62a525ed4daf06dff
-
C:\Users\Admin\AppData\Local\Temp\167aa5ede83a858c0b43b5635f716071ad8cb4834c08be0ecf53314f00df77a5.exe.exe
Filesize544KB
MD59a1dd1d96481d61934dcc2d568971d06
SHA1f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA2568cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA5127ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa
-
Filesize
39KB
MD5a71bfcd1ef96edb3cc326e1b76824622
SHA1387956a928cafd3b7bf815274ac9ddfb01e59562
SHA2560cd414bed04b78dd4100d3bdddc3fa140a3558caf58072d00359f3e88760c370
SHA5123add11586e4795a4c92b18fc12e0639beef6f2b60f7c5db7276c94f88f2aab7a9c4ad0ad2b60b48646eabc9a5a6cd3607c539223fc210201da7963caa5b7dc92
-
Filesize
10B
MD5688d58fa5756a393f9472937ef284c25
SHA118ee07a5ee8de4fbd046763cd4a55ef2e6c3f808
SHA256e21f27bdf2d90c77d75658b5217d5af4519a6c1bfc326a109eb4a085a2b83302
SHA512c84930eb323c71ffc1edac543a2f60e366de40b39a88b18dba09c1272fae0b12262f4fae496bc9546598507fc37729d829f93b101bbec4739a05be33e0010a3f