Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 21:35
Static task
static1
Behavioral task
behavioral1
Sample
332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4N.exe
Resource
win7-20240903-en
General
-
Target
332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4N.exe
-
Size
808KB
-
MD5
9de9363c50721f3c8eae5a2725f51690
-
SHA1
f1eb284765f36d9d7c498e43d2403c3af2b2ab6f
-
SHA256
332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4
-
SHA512
a36962d9e16873d108a79eaee1e1bfd5dceb2fab54f61a1dae5d859625d0b3bb5a80041c7cbebb90ad1c61f6d7efe90c7d698ab4d17353d68637b54090e85d4a
-
SSDEEP
12288:cXJYagld8WUxFkyekJfC+R3D5g4OYo4VsJdq3vbFPXswlXV/4JUu8KbEYUDDKvm8:2YFkJqOG4xBxVS
Malware Config
Extracted
cybergate
v1.07.5
Cyber
stopscammingidiot.no-ip.biz:100
G16V88J605XN2M
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
Svchost.exe
-
install_dir
system32
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 280.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\Svchost.exe" 280.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 280.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\Svchost.exe" 280.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028} 280.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028}\StubPath = "C:\\Windows\\system32\\system32\\Svchost.exe Restart" 280.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028}\StubPath = "C:\\Windows\\system32\\system32\\Svchost.exe" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 280.exe -
Executes dropped EXE 2 IoCs
pid Process 4148 280.exe 4644 Svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2260 280.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\system32\\Svchost.exe" 280.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\system32\\Svchost.exe" 280.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\system32\Svchost.exe 280.exe File opened for modification C:\Windows\SysWOW64\system32\ 280.exe File created C:\Windows\SysWOW64\system32\Svchost.exe 280.exe File opened for modification C:\Windows\SysWOW64\system32\Svchost.exe 280.exe -
resource yara_rule behavioral2/memory/4148-10-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/4148-14-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4148-72-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4132-78-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4132-170-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1828 4644 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 280.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 280.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4148 280.exe 4148 280.exe 4148 280.exe 4148 280.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2260 280.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 4132 explorer.exe Token: SeRestorePrivilege 4132 explorer.exe Token: SeBackupPrivilege 2260 280.exe Token: SeRestorePrivilege 2260 280.exe Token: SeDebugPrivilege 2260 280.exe Token: SeDebugPrivilege 2260 280.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4148 280.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3960 wrote to memory of 4148 3960 332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4N.exe 84 PID 3960 wrote to memory of 4148 3960 332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4N.exe 84 PID 3960 wrote to memory of 4148 3960 332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4N.exe 84 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56 PID 4148 wrote to memory of 3508 4148 280.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4N.exe"C:\Users\Admin\AppData\Local\Temp\332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4N.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\280.exeC:\Users\Admin\AppData\Local\Temp\280.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\280.exe"C:\Users\Admin\AppData\Local\Temp\280.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2260 -
C:\Windows\SysWOW64\system32\Svchost.exe"C:\Windows\system32\system32\Svchost.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 5846⤵
- Program crash
PID:1828
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4644 -ip 46441⤵PID:3584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD56afb13c14bf63d663dbe88d7f1fe0130
SHA15e707443dc8dfc126f443fa405af457913dec921
SHA256cd5d45fba6c736217301dae95df68b0842223b2781dc4b8aa2c8135903e538c2
SHA512e8d4adb40dcc6291c5eec5af649ac1f3b1c38faa398d8e76617c5bcc29cb2f449554ade6c6daf1f35505ada83c86d9fb473e5899d8bccb814aaa1e931fed2bf3
-
Filesize
224KB
MD513a8c5fa231e1924e3b6b1afda1d6119
SHA1d3ad411c048bbf3f1be3cfdcd6e7b70b6df12e15
SHA256fdd3ad3ac20874b847d888fd1114c2f670b7e9295ecf54cb5e6ccf05f01d8235
SHA512058aaa42be439b3a35108da0bbbe9c90ca8afea23e185c275fbfc88d8555ad09293e4eb139d4753d921c8e7711edcfc423b2662ed6c966be3f9a5b1e247ec1f3
-
Filesize
8B
MD50e48969da6936b4bab3c6aff2751eb8b
SHA17774963632978cba8975626c05c7b5cf29b50ffe
SHA256116d308c7771f85e03a82ee78cf285f8de8feb26e236ac0f1a4755dbb28b4548
SHA5122ee7287dd20ba6d2a249a1d87ade5ddf3f324bb15279e099067491dbc0df7d1f424f5e6b6db3f633fa74bf7d2e3c53fd837815b6906d427a476bc0792fd1b475
-
Filesize
8B
MD534bbde9f103d7bcffece01a8349c9328
SHA1b3d5b9a8597455d9abc17d79e12853b8c0620c20
SHA256b3dcc84b95aa4d2edb00e2cc81ae60e9c2fe2e17c29b5c4a4113f1c2d9f84a69
SHA51239a875ec1d0578fd4f4ced5eea65f4e6331f662ff6693e6213c9fe8ebc3024c6d101e134533202fa1876244e8565e90b73983f4f2c8d65029bd6cda17c028c11
-
Filesize
8B
MD5fc8b17671cc1c540ba24d84dd33b9e99
SHA1e200f00fc859461856fe0434ad6ad31331471f13
SHA2565c57430ff013a486361372c945d64b92b12acea4c6de47b26e275dee6af79b0c
SHA5120915b57632916fb5a11f51e8b2d7c7da1f1ffa8128f8f4b2d4cdbc700e6076a90eefc5a80c9b5ccc0edf0b679a2afed64bec5796b4fc7a9908ed8760225ab06f
-
Filesize
8B
MD5fc30c471af787a509ba543200f9fbdaf
SHA189ab2ad4d73a5a0214bfa47c191be1425f6a39c8
SHA2569ca221daaab8cb801a9e2a95fe129ac315be2310314eb8e74b343962fa7a1078
SHA512d7b594fcd4ddda3ddc741412abd39c066a5e6420d0ce6da6612d371c6357ccd448def0a3490ce1dde65d4664afe883e9282b683d434ded0c4f44080c9163b9bd
-
Filesize
8B
MD58f250c95aedd0545331d5f10310eb013
SHA145429e5c7bb233a1df6461e2580199099f2af8bc
SHA2560033913cbb7922f181599bb998c791aba3260238bfa6d659e7ce38dd119f4bea
SHA5120ca57fd1b7ba683708b6ff51df601861c7e8eff104e575b8d162d6e0a1edff2ea9f30c62ef8ffaf45e02aba6fccfbd52320956e6d7a55517a50bdeeafdd74c89
-
Filesize
8B
MD5bf6d907d583a5dc58cdf2848d5abda67
SHA1874d0c1ce640e7e2405fd980ca5a021536d65ad6
SHA256f76613277035a507d87f80f133a818d48386573eeb4cf121af7fc07a79464840
SHA51235f554c9567a99c396cb305649234e4685f8952282dab1c36d3668fae2bb96239196c070c6d74f17fc3660dfd1fd185a212085026fa000832dad518d386ba9e2
-
Filesize
8B
MD598382862ac04d5bfaa9eeb55ee08251e
SHA1ffb7fbb6cdfde351dd7eb9c8c4463797d7b1aae0
SHA25669fc26781d44c8a86f3f61f2bc95222405a0c3d85f476039d77638ee9eb97918
SHA512c283e147486d1ca8af34e74d064515ff31e27d472bce3d7f21ff5c1e210f87929088288888a18d71a3a9f88ae2d00070238dbdaf818a072b010c419962997a94
-
Filesize
8B
MD5a9aca66fbd28e3d921743a8a98770f13
SHA1652c51635552b6b4276f47e3620bbbd67d343195
SHA256b2ee6efc6a39621fd685e407b23f7cf91ce30eb45bd49f5373e9cda800fd8381
SHA51206d5af8ffa09de1b966d5b06b530ceff7ea7852725c0ae818bc09dd3d080a7e6e9678f4afd84e6a5e981a39b19235f3691d131de10a216bdf90dee7914b7f796
-
Filesize
8B
MD546e11af47b3fb5e844d9d0638041f567
SHA15bc0b4df12682ac7b6c66911eb0e5e21d7ebc8b0
SHA256550fc11bef0f1a1242958c507c9370b0adce117f6a86541be367836104ce3b08
SHA51209b68e0b0831dbd0ae08ec99cf6c8da48f7234637e990cf12c731078ec0deb13c9e801e41b990bbc4aecacf8a29d2260460fc0c045af0f766ec21b6f9236c989
-
Filesize
8B
MD56382cbe3f59261bcd18b3dcb0c0541d6
SHA1dc81ee7528ef463b4ebd412836b82c67c87bc868
SHA256e0f7f40db8f4c3098b6ff1a0a4f20b7f7b37f20f12cae5da572955afe48c3c6c
SHA51264cf7db8025f23b83a045dbf8d9affa89c457193c8e512746609f9c4a59abf1823bda5555108017e24f7968a6c03c370a4ff505b41531f7e811ffa4d2f0cb24c
-
Filesize
8B
MD5eba36b2caf774b17d1c6a872c22663a0
SHA1236b6e325490684a8bb2268975e5cd24957bb8f2
SHA256b8601fd1bf2edf3026c4eca69ab09b0e6b06d5bd45a8a772abcb8ea9dff76a80
SHA5120f251cb81f3aeee2c52a38522db0a1f5bebb6f13fd0b367e5c6a3d9ab8f8bfc7610389ccf7e0853d309ea3ae24c409535ffbc10fffd3b9ec95595a33e1dc59fd
-
Filesize
8B
MD58f3c24c32576de06579b3aed766a664b
SHA1a84c2f0f321722c2037d31ac32ef1f599a6753f9
SHA256fc935cb3f3f61614f4b29a8827e01a16763db0118d0b550265a9af01f1e7b407
SHA512dd2503d60632c431602120cd1003b024c1f4c911c0d21e59ce039f8201eabcf13560289a84f60bb7f35477b4e4735e344e2800fdbefb866f0cc893de442a2af8
-
Filesize
8B
MD5fd43772f2536e66de1e0ba547f468f96
SHA1400cd306435ebaeb2cd2f98f50f38368bbec8c68
SHA256e0f9d8f446422a525ace379d087d74a25a0f38607c3f25cbaf6d63ad18487913
SHA512032a18b68cbae9c8676653d24bfe11f977f65f910123c6ca78456dd1749305736afdffc5d4686d1f8fcb71e8151a443d61c5b28d2a3078f284740708de7047d0
-
Filesize
8B
MD5939a8444728fea2088a276f4f0f35b91
SHA15f6dbffb92285ae3607cce4f6a91b8467b1649ec
SHA25676b0f144c40cf68745fe2f2a567f4e9bc6553700cdd7f7cffe86f37d706d1663
SHA512100e1ccc988c08ebb46f6f2892fc427322f72c83bb703dc7ca89863390372f1b225dc917bd2f7e5e8e5f9558e208db803e3a3a0ad382817a6c96550a756815c4
-
Filesize
8B
MD5f43331d13b9025126af9c5dfad8938f0
SHA17ab4ed32b06312a85aa71a641220737f70ebe0f6
SHA2564fabe42627ff95196e22a44cab025d0e6611ee9cb12eaa73eb37a8001a20f20e
SHA5122dbff28957b463337a4c12013c01600d81a2d67afcac98baf163c4b72a9fbe64aa679d752d29c13a5df3ad6417b56ea76a1ac25598b1a6ab8fa79e560c5d467e
-
Filesize
8B
MD521794a9d08a31373e9eefbcce04468ed
SHA101cbf68239b7fcb3ad932234074d154368d83ca2
SHA2561277b7cf8861a06c6148a4c4bb0fca9dfb16bdd387dc15ae2c3e3950693ba9e5
SHA512089f541c4c5b5798b7969c91cff584d7136d8f55794adee7adfd00b0518687b61df98aa8a92c7f7d31c3a185b774ce60748ec49399ebcd10ceb244d67d67a567
-
Filesize
8B
MD52396bb0e87e3cbce91f3d93dfed190d9
SHA12114299441453cc5a8c26c9137c668f74b9fe4c2
SHA25611e18f2936190f4eeab2dd62ec0a24db1a44caff9fc66a5e8f9dcd5e8123d5b3
SHA512a72b7aa0e48850a98775c53a1b3529a9d9897c2712200b4e46312e416709ea492a2626d16744774b80e0cd1536e01cfaa04d1e466a8ec9fb82de20eaebe8e4ad
-
Filesize
8B
MD5a535b10bd92368d83d664a54d50583ae
SHA11f7f2e7cd014825eb4bf78283b069b0f98d696f1
SHA2563f51359c4e1cfa32d7cc3c0113318a70dc6d56909939dbcf8297714ae4e19168
SHA512d63193366c62d0b48f4e18e7e7ab9de99a5db9c5cbf22f4b96f5a2772550a06cd3f5007fa11cf4250690772cf529eb8c130263aeabb598e14839235da0b819db
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314