Overview
overview
10Static
static
100A6172B017F62EAA.exe
windows7-x64
100A6172B017F62EAA.exe
windows10-2004-x64
102891E1D4BAC70EBA.exe
windows7-x64
102891E1D4BAC70EBA.exe
windows10-2004-x64
103472CB2D1AB89AAB.exe
windows7-x64
103472CB2D1AB89AAB.exe
windows10-2004-x64
10613788884CE0093F.exe
windows7-x64
10613788884CE0093F.exe
windows10-2004-x64
107189AED8B8AE6568.exe
windows7-x64
107189AED8B8AE6568.exe
windows10-2004-x64
10CC3B1F89FAA517E4.exe
windows7-x64
10CC3B1F89FAA517E4.exe
windows10-2004-x64
10F5657AC3DC58DC8C.exe
windows7-x64
10F5657AC3DC58DC8C.exe
windows10-2004-x64
10Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 05:01
Behavioral task
behavioral1
Sample
0A6172B017F62EAA.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
0A6172B017F62EAA.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral3
Sample
2891E1D4BAC70EBA.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral4
Sample
2891E1D4BAC70EBA.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral5
Sample
3472CB2D1AB89AAB.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral6
Sample
3472CB2D1AB89AAB.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral7
Sample
613788884CE0093F.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral8
Sample
613788884CE0093F.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral9
Sample
7189AED8B8AE6568.exe
Resource
win7-20241023-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral10
Sample
7189AED8B8AE6568.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral11
Sample
CC3B1F89FAA517E4.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral12
Sample
CC3B1F89FAA517E4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral13
Sample
F5657AC3DC58DC8C.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral14
Sample
F5657AC3DC58DC8C.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
7189AED8B8AE6568.exe
-
Size
137KB
-
MD5
ff7559d2160f6732056ff5a19722e69a
-
SHA1
aed67bf0c6e521fc552cbb4afe24a1c2eb286da7
-
SHA256
c2fc050f33d51d5560da425d137ef1e318f16fe5d49ee894327e33c3e12755e3
-
SHA512
020825f085dc4b08f2454be5425cd937a1f146843b76b445c6d5993d0581fedf93f84742e64b2abe986a8d5803a62a597962a04821488dea771c5354b6dfda10
-
SSDEEP
3072:oLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8hb2bIoKb:ostYrEMw6Bxk5zOFNtgJGCUb
Malware Config
Extracted
Path
C:\ProgramData\biobio ransmoware.txt
Ransom Note
kasper Ransmoware
ATTENTION!
At the moment, your system is not protected.
We can fix itand restore files.
To get started, send a file to decrypt trial.
You can trust us after opening the test file.
2.Do not use free programs to unlock.
To restore the system write to both : [email protected] and [email protected]
Telegram id:@biobiorans
Your Decryption ID: 7189AED8B8AE6568
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9084) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 7189AED8B8AE6568.exe File opened (read-only) \??\D: 7189AED8B8AE6568.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Palau 7189AED8B8AE6568.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\biobio ransmoware.txt 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Groove.gif.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Louisville.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe 7189AED8B8AE6568.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\biobio ransmoware.txt 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\La_Paz.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00306_.WMF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.ELM.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\biobio ransmoware.txt 7189AED8B8AE6568.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\biobio ransmoware.txt 7189AED8B8AE6568.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\vlc.mo.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099199.GIF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03453_.WMF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00183_.WMF 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01236_.WMF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18208_.WMF 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\utilityfunctions.js 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107450.WMF 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\LINEAR_RGB.pf 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\msolui100.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB6.BDR.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR13F.GIF.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\BUTTON.GIF 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\attention.gif.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF 7189AED8B8AE6568.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\biobio ransmoware.txt 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF 7189AED8B8AE6568.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\builtincontrolsschema.xsd 7189AED8B8AE6568.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\biobio ransmoware.txt 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\TexturedBlue.css 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\THMBNAIL.PNG 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\it-IT\msdaremr.dll.mui 7189AED8B8AE6568.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js 7189AED8B8AE6568.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7jp.kic.EMAIL=[[email protected]]ID=[7189AED8B8AE6568].biobio 7189AED8B8AE6568.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7189AED8B8AE6568.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2760 vssadmin.exe 860 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe 772 7189AED8B8AE6568.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 772 7189AED8B8AE6568.exe Token: SeRestorePrivilege 772 7189AED8B8AE6568.exe Token: SeBackupPrivilege 772 7189AED8B8AE6568.exe Token: SeTakeOwnershipPrivilege 772 7189AED8B8AE6568.exe Token: SeAuditPrivilege 772 7189AED8B8AE6568.exe Token: SeSecurityPrivilege 772 7189AED8B8AE6568.exe Token: SeIncBasePriorityPrivilege 772 7189AED8B8AE6568.exe Token: SeBackupPrivilege 2228 vssvc.exe Token: SeRestorePrivilege 2228 vssvc.exe Token: SeAuditPrivilege 2228 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 772 wrote to memory of 2488 772 7189AED8B8AE6568.exe 31 PID 772 wrote to memory of 2488 772 7189AED8B8AE6568.exe 31 PID 772 wrote to memory of 2488 772 7189AED8B8AE6568.exe 31 PID 772 wrote to memory of 2488 772 7189AED8B8AE6568.exe 31 PID 2488 wrote to memory of 2760 2488 cmd.exe 33 PID 2488 wrote to memory of 2760 2488 cmd.exe 33 PID 2488 wrote to memory of 2760 2488 cmd.exe 33 PID 772 wrote to memory of 1656 772 7189AED8B8AE6568.exe 38 PID 772 wrote to memory of 1656 772 7189AED8B8AE6568.exe 38 PID 772 wrote to memory of 1656 772 7189AED8B8AE6568.exe 38 PID 772 wrote to memory of 1656 772 7189AED8B8AE6568.exe 38 PID 1656 wrote to memory of 860 1656 cmd.exe 40 PID 1656 wrote to memory of 860 1656 cmd.exe 40 PID 1656 wrote to memory of 860 1656 cmd.exe 40 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe"C:\Users\Admin\AppData\Local\Temp\7189AED8B8AE6568.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:860
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
402B
MD5c8a67f8b8ce607ff54e7ea29fc000450
SHA14fc728744bb78a8c29f05c67e067d3af755c9cd9
SHA2569a0cc9b664d21fc01f93ce946d8426cbfe4a38623e2b6fe06c967291fc9840ee
SHA51243148dce167a73b32b26a031e97ca75b8f7be8bd0391217d855ed7ae1feee09a9a7a4f356f30d054a9c157cf29d25b24fff321c96f01cedca86cc348f3f556e9