Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
random4.exe
Resource
win7-20240903-en
General
-
Target
random4.exe
-
Size
3.1MB
-
MD5
00c0358385d6ae38bbb01a8ae4671488
-
SHA1
4ef5087b146f94ceb84f1ba2d58a17831cf5317f
-
SHA256
f2dcc9f8b6e1b4f53548e4c05bb3e618090ab3d16d263584723644a32cbf9dc3
-
SHA512
ec616d518b45710c7bc20fcce4c539fb5bc818083a4b127134ed3bc747ebe8dd1ccce1984b3280a6ab12b60113839abc4d066e9d262f6edcd4791a75183d78eb
-
SSDEEP
49152:hoSQiwTUp3N57tv1RWM65ZNRizKacCBB3cdEYzMDek:xQrTS3NJx2p3NAzDjBVuEYxk
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Signatures
-
Amadey family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2c8b46897c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ random4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3e0881664b.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7af50bf25f.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion random4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7af50bf25f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2c8b46897c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion random4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3e0881664b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3e0881664b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7af50bf25f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2c8b46897c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe -
Executes dropped EXE 10 IoCs
pid Process 2732 skotes.exe 1800 build.exe 1732 SKOblik.exe 2300 stories.exe 348 stories.tmp 1924 shineencoder32.exe 2344 3e0881664b.exe 2940 7af50bf25f.exe 2132 2c8b46897c.exe 2052 skotes.exe -
Identifies Wine through registry keys 2 TTPs 6 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 3e0881664b.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 7af50bf25f.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine 2c8b46897c.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine random4.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine skotes.exe -
Loads dropped DLL 15 IoCs
pid Process 1708 random4.exe 2732 skotes.exe 2732 skotes.exe 2732 skotes.exe 2300 stories.exe 348 stories.tmp 348 stories.tmp 1924 shineencoder32.exe 2732 skotes.exe 2732 skotes.exe 2732 skotes.exe 2732 skotes.exe 2732 skotes.exe 2732 skotes.exe 2732 skotes.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\7af50bf25f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006462001\\7af50bf25f.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\2c8b46897c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1006463001\\2c8b46897c.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 1708 random4.exe 2732 skotes.exe 2344 3e0881664b.exe 2940 7af50bf25f.exe 2132 2c8b46897c.exe 2052 skotes.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2732 set thread context of 2052 2732 skotes.exe 46 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job random4.exe -
Embeds OpenSSL 1 IoCs
Embeds OpenSSL, may be used to circumvent TLS interception.
resource yara_rule behavioral1/files/0x000800000001707c-53.dat embeds_openssl -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shineencoder32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7af50bf25f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stories.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stories.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3e0881664b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c8b46897c.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1708 random4.exe 2732 skotes.exe 348 stories.tmp 348 stories.tmp 2344 3e0881664b.exe 2940 7af50bf25f.exe 2132 2c8b46897c.exe 2052 skotes.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1708 random4.exe 348 stories.tmp -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2732 1708 random4.exe 31 PID 1708 wrote to memory of 2732 1708 random4.exe 31 PID 1708 wrote to memory of 2732 1708 random4.exe 31 PID 1708 wrote to memory of 2732 1708 random4.exe 31 PID 2732 wrote to memory of 1800 2732 skotes.exe 34 PID 2732 wrote to memory of 1800 2732 skotes.exe 34 PID 2732 wrote to memory of 1800 2732 skotes.exe 34 PID 2732 wrote to memory of 1800 2732 skotes.exe 34 PID 2732 wrote to memory of 1732 2732 skotes.exe 36 PID 2732 wrote to memory of 1732 2732 skotes.exe 36 PID 2732 wrote to memory of 1732 2732 skotes.exe 36 PID 2732 wrote to memory of 1732 2732 skotes.exe 36 PID 2732 wrote to memory of 2300 2732 skotes.exe 37 PID 2732 wrote to memory of 2300 2732 skotes.exe 37 PID 2732 wrote to memory of 2300 2732 skotes.exe 37 PID 2732 wrote to memory of 2300 2732 skotes.exe 37 PID 2732 wrote to memory of 2300 2732 skotes.exe 37 PID 2732 wrote to memory of 2300 2732 skotes.exe 37 PID 2732 wrote to memory of 2300 2732 skotes.exe 37 PID 2300 wrote to memory of 348 2300 stories.exe 38 PID 2300 wrote to memory of 348 2300 stories.exe 38 PID 2300 wrote to memory of 348 2300 stories.exe 38 PID 2300 wrote to memory of 348 2300 stories.exe 38 PID 2300 wrote to memory of 348 2300 stories.exe 38 PID 2300 wrote to memory of 348 2300 stories.exe 38 PID 2300 wrote to memory of 348 2300 stories.exe 38 PID 348 wrote to memory of 1604 348 stories.tmp 39 PID 348 wrote to memory of 1604 348 stories.tmp 39 PID 348 wrote to memory of 1604 348 stories.tmp 39 PID 348 wrote to memory of 1604 348 stories.tmp 39 PID 348 wrote to memory of 1924 348 stories.tmp 41 PID 348 wrote to memory of 1924 348 stories.tmp 41 PID 348 wrote to memory of 1924 348 stories.tmp 41 PID 348 wrote to memory of 1924 348 stories.tmp 41 PID 1604 wrote to memory of 2120 1604 net.exe 42 PID 1604 wrote to memory of 2120 1604 net.exe 42 PID 1604 wrote to memory of 2120 1604 net.exe 42 PID 1604 wrote to memory of 2120 1604 net.exe 42 PID 2732 wrote to memory of 2344 2732 skotes.exe 43 PID 2732 wrote to memory of 2344 2732 skotes.exe 43 PID 2732 wrote to memory of 2344 2732 skotes.exe 43 PID 2732 wrote to memory of 2344 2732 skotes.exe 43 PID 2732 wrote to memory of 2940 2732 skotes.exe 44 PID 2732 wrote to memory of 2940 2732 skotes.exe 44 PID 2732 wrote to memory of 2940 2732 skotes.exe 44 PID 2732 wrote to memory of 2940 2732 skotes.exe 44 PID 2732 wrote to memory of 2132 2732 skotes.exe 45 PID 2732 wrote to memory of 2132 2732 skotes.exe 45 PID 2732 wrote to memory of 2132 2732 skotes.exe 45 PID 2732 wrote to memory of 2132 2732 skotes.exe 45 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46 PID 2732 wrote to memory of 2052 2732 skotes.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\random4.exe"C:\Users\Admin\AppData\Local\Temp\random4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\1006262001\build.exe"C:\Users\Admin\AppData\Local\Temp\1006262001\build.exe"3⤵
- Executes dropped EXE
PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\1006418001\SKOblik.exe"C:\Users\Admin\AppData\Local\Temp\1006418001\SKOblik.exe"3⤵
- Executes dropped EXE
PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\1006431001\stories.exe"C:\Users\Admin\AppData\Local\Temp\1006431001\stories.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\is-5FQTI.tmp\stories.tmp"C:\Users\Admin\AppData\Local\Temp\is-5FQTI.tmp\stories.tmp" /SL5="$C0150,5532893,721408,C:\Users\Admin\AppData\Local\Temp\1006431001\stories.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" pause shine-encoder_111525⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 pause shine-encoder_111526⤵
- System Location Discovery: System Language Discovery
PID:2120
-
-
-
C:\Users\Admin\AppData\Local\Shine Encoder 1.4.3\shineencoder32.exe"C:\Users\Admin\AppData\Local\Shine Encoder 1.4.3\shineencoder32.exe" -i5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1006449001\3e0881664b.exe"C:\Users\Admin\AppData\Local\Temp\1006449001\3e0881664b.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\1006462001\7af50bf25f.exe"C:\Users\Admin\AppData\Local\Temp\1006462001\7af50bf25f.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\1006463001\2c8b46897c.exe"C:\Users\Admin\AppData\Local\Temp\1006463001\2c8b46897c.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\1006465001\4b31f30d4f.exe"C:\Users\Admin\AppData\Local\Temp\1006465001\4b31f30d4f.exe"3⤵PID:3032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
Filesize
41.2MB
MD57abd9cf3c1c7b8e12e309a517a1d64c0
SHA163fc374e4498dedb181bb37aad0dc14813e45ba4
SHA256dd11a80576e2d535d1ffffeb53f9e72466e32ef39d833f43cd6e6f11fc365ebb
SHA5121c0d1a539e19edfcda7cd346fc2471988888293b52c625e29ce1a317c928ce97e44fcbcabb1bc4eda5a65b82d9e84eba4a2e864073bbcd3c3ae773693237544f
-
Filesize
21.2MB
MD5c3968e6090d03e52679657e1715ea39a
SHA12332b4bfd13b271c250a6b71f3c2a502e24d0b76
SHA2564ad1cc11410e486d132dce9716eebe6a2db0af0fcbf53ee87bc9c0af6a5aa1d4
SHA512f4908cce3e77a19bcbdc54487e025868cbd2c470b796edbf4a28aebc56cb9212019496f32eb531787de2ca9e8af0aedab2fde3d7aecee9e6a3fe3f5e4ce7670a
-
Filesize
5.9MB
MD5cbb34d95217826f4ad877e7e7a46b69c
SHA1d903374f9236b135cf42c4a573b5cd33df9074bd
SHA256707b321c42fbaa91cf41a9b41c85f3b56c7326cb32f40fc495f17df83b21cbed
SHA512eec4382387a1c2223da3350a28ec250cfa6dd2edb7eda6c516ee32fc784638f23005e992af337e9d87878fe2049b0a41df7f1c65c9d717d6a8771d7833be3f60
-
Filesize
4.2MB
MD55552526220fa0f65d5371d522781fcab
SHA109a58d7523266565f9a32198356a7b40e5bfa029
SHA256638e6484019db8c7ab1005f06509b859c76a0d86fd907b4befde9c8c15708020
SHA5128ac56ec18352d02bcf454dbf25e41a6d577cead5e8dfa03290d7d3dd590e950183c11b7e54c849598c70019b4bffb64ffbab18108079e0e99accce29bca58d05
-
Filesize
1.7MB
MD5181c832facf1e2a1b604ab7b265bf084
SHA138874ff64066b47e66058d5b719dddde74c0a675
SHA25612b0f79e1217a6b50f610695ee8aa2c668abcd5a5f52a4546cbb75fbc06d96c2
SHA51287072d377a06d436dd44dd628211b5ff1488e8787b87f68c988aebf5b487460b656f0199659a9f752aefadf72b0cf2285a7d3abac667c3e90636035c4dcb2ee0
-
Filesize
1.7MB
MD52f9ce4f5d569b97571847c93c0fbea69
SHA1d01078627f0bb0442f27536b90a5d8eee50455b0
SHA256cf6d8b136d1aa904232f925e014fcd9c448ed211005daabfc9b2dc9eacd30361
SHA5122c4060cd34ac025f7d3a3e718f3901c3aedcb7585d57bce8001605839a866290bea2925e3cef5d5e516386e03d0fcb8bfcfaa96f985cd8534c2b9978f50a5969
-
Filesize
2.7MB
MD56af7bb44c8e6e041bf2ee6b7a60d9ab3
SHA1d2097c734fa39a904796dc832946d5c23f400c7a
SHA256f5c34a6757804a619a99a1ba73ba51ba25a158e5ee6e9cc86a2be1292064e415
SHA5120c42e65c806ce75269ebe012ff5271ca5ca43e63229e9b1e6232fa530afc6ccb9f2ec6ab79df2c48023c83fa68a3fb44fbede339339936b54447cf6d14505ff5
-
Filesize
3.1MB
MD500c0358385d6ae38bbb01a8ae4671488
SHA14ef5087b146f94ceb84f1ba2d58a17831cf5317f
SHA256f2dcc9f8b6e1b4f53548e4c05bb3e618090ab3d16d263584723644a32cbf9dc3
SHA512ec616d518b45710c7bc20fcce4c539fb5bc818083a4b127134ed3bc747ebe8dd1ccce1984b3280a6ab12b60113839abc4d066e9d262f6edcd4791a75183d78eb
-
Filesize
3.6MB
MD5f978d5eba9977af32374dcb616cb63fe
SHA1d45c19f173d68fb11dd1c358b42b135e634ebe4e
SHA2562921409fa28850e3c1874ae52a25b00f93961c278cf131f11f67cee89061f7c8
SHA5120075c468db47b8f92b9d329089a61fd554c5f7fc374be34fcff8f925dba334ba41bab09303e16d32607597af5e2636203db312c412fc68b3bee60a799620fe9f
-
Filesize
2.4MB
MD5d39963c7160d31f9ef536becf3004498
SHA19485f170d679b63b6eaef023c2459d50e665dcd6
SHA25670cdfb9222cfe63dc84ccb91fc76ed489e3a8ab62876dd0eaf57659d6d9d0adc
SHA512b5b5cd3623af8be77979d51b6f7a19504f565435a256c2b5b908faca335ed1a330131c5b8bf845b290fb980c778434aa7addbcba3043c4421f7c9343344fdad5
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63