Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 17:27
Behavioral task
behavioral1
Sample
707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe
Resource
win10v2004-20241007-en
General
-
Target
707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe
-
Size
2.0MB
-
MD5
2c35e49ed010ec1805b1d118a2b48f90
-
SHA1
2dba76e93ac539aeaf81bc14380a6e1726b12240
-
SHA256
707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3
-
SHA512
9426f2ec7a8b4cf3ad0520f9a1762cef124764982093e09aa617989d4b3c64573a3fe750200815bb1b81e6dd63d56f38a0d79b9bd3d6d69e1faaa032aaef8d5a
-
SSDEEP
49152:MsThC6TYNwUXz+JR2wjx8+X5gZ+th1aaucQPfM7cSCGDt7WWcrRhajx3l7bQonWq:MsThC6TYNwUXz+JR2wjx8+JgZ+th1aaF
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral2/memory/872-36-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-51-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-53-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-58-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-60-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-62-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-65-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-67-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-69-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-72-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-74-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral2/memory/872-76-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\Windowsdef.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe -
Executes dropped EXE 3 IoCs
pid Process 4700 Windowsdef.exe 872 Windowsdef.exe 2292 Windowsdef.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDef = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\Windowsdef.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4700 set thread context of 872 4700 Windowsdef.exe 87 PID 4700 set thread context of 2292 4700 Windowsdef.exe 88 -
resource yara_rule behavioral2/memory/4468-0-0x0000000000400000-0x00000000005FD000-memory.dmp upx behavioral2/files/0x000b000000023b82-16.dat upx behavioral2/memory/4468-30-0x0000000000400000-0x00000000005FD000-memory.dmp upx behavioral2/memory/872-31-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-36-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-34-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2292-38-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2292-43-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2292-45-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4700-50-0x0000000000400000-0x00000000005FD000-memory.dmp upx behavioral2/memory/872-51-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/2292-52-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/872-53-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-58-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-60-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-62-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-65-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-67-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-69-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-72-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-74-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/872-76-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windowsdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windowsdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windowsdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 4444 reg.exe 2388 reg.exe 2068 reg.exe 2352 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 872 Windowsdef.exe Token: SeCreateTokenPrivilege 872 Windowsdef.exe Token: SeAssignPrimaryTokenPrivilege 872 Windowsdef.exe Token: SeLockMemoryPrivilege 872 Windowsdef.exe Token: SeIncreaseQuotaPrivilege 872 Windowsdef.exe Token: SeMachineAccountPrivilege 872 Windowsdef.exe Token: SeTcbPrivilege 872 Windowsdef.exe Token: SeSecurityPrivilege 872 Windowsdef.exe Token: SeTakeOwnershipPrivilege 872 Windowsdef.exe Token: SeLoadDriverPrivilege 872 Windowsdef.exe Token: SeSystemProfilePrivilege 872 Windowsdef.exe Token: SeSystemtimePrivilege 872 Windowsdef.exe Token: SeProfSingleProcessPrivilege 872 Windowsdef.exe Token: SeIncBasePriorityPrivilege 872 Windowsdef.exe Token: SeCreatePagefilePrivilege 872 Windowsdef.exe Token: SeCreatePermanentPrivilege 872 Windowsdef.exe Token: SeBackupPrivilege 872 Windowsdef.exe Token: SeRestorePrivilege 872 Windowsdef.exe Token: SeShutdownPrivilege 872 Windowsdef.exe Token: SeDebugPrivilege 872 Windowsdef.exe Token: SeAuditPrivilege 872 Windowsdef.exe Token: SeSystemEnvironmentPrivilege 872 Windowsdef.exe Token: SeChangeNotifyPrivilege 872 Windowsdef.exe Token: SeRemoteShutdownPrivilege 872 Windowsdef.exe Token: SeUndockPrivilege 872 Windowsdef.exe Token: SeSyncAgentPrivilege 872 Windowsdef.exe Token: SeEnableDelegationPrivilege 872 Windowsdef.exe Token: SeManageVolumePrivilege 872 Windowsdef.exe Token: SeImpersonatePrivilege 872 Windowsdef.exe Token: SeCreateGlobalPrivilege 872 Windowsdef.exe Token: 31 872 Windowsdef.exe Token: 32 872 Windowsdef.exe Token: 33 872 Windowsdef.exe Token: 34 872 Windowsdef.exe Token: 35 872 Windowsdef.exe Token: SeDebugPrivilege 2292 Windowsdef.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4468 707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe 4700 Windowsdef.exe 872 Windowsdef.exe 872 Windowsdef.exe 2292 Windowsdef.exe 872 Windowsdef.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 4468 wrote to memory of 1028 4468 707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe 82 PID 4468 wrote to memory of 1028 4468 707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe 82 PID 4468 wrote to memory of 1028 4468 707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe 82 PID 1028 wrote to memory of 1516 1028 cmd.exe 85 PID 1028 wrote to memory of 1516 1028 cmd.exe 85 PID 1028 wrote to memory of 1516 1028 cmd.exe 85 PID 4468 wrote to memory of 4700 4468 707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe 86 PID 4468 wrote to memory of 4700 4468 707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe 86 PID 4468 wrote to memory of 4700 4468 707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe 86 PID 4700 wrote to memory of 872 4700 Windowsdef.exe 87 PID 4700 wrote to memory of 872 4700 Windowsdef.exe 87 PID 4700 wrote to memory of 872 4700 Windowsdef.exe 87 PID 4700 wrote to memory of 872 4700 Windowsdef.exe 87 PID 4700 wrote to memory of 872 4700 Windowsdef.exe 87 PID 4700 wrote to memory of 872 4700 Windowsdef.exe 87 PID 4700 wrote to memory of 872 4700 Windowsdef.exe 87 PID 4700 wrote to memory of 872 4700 Windowsdef.exe 87 PID 4700 wrote to memory of 2292 4700 Windowsdef.exe 88 PID 4700 wrote to memory of 2292 4700 Windowsdef.exe 88 PID 4700 wrote to memory of 2292 4700 Windowsdef.exe 88 PID 4700 wrote to memory of 2292 4700 Windowsdef.exe 88 PID 4700 wrote to memory of 2292 4700 Windowsdef.exe 88 PID 4700 wrote to memory of 2292 4700 Windowsdef.exe 88 PID 4700 wrote to memory of 2292 4700 Windowsdef.exe 88 PID 4700 wrote to memory of 2292 4700 Windowsdef.exe 88 PID 872 wrote to memory of 3460 872 Windowsdef.exe 89 PID 872 wrote to memory of 3460 872 Windowsdef.exe 89 PID 872 wrote to memory of 3460 872 Windowsdef.exe 89 PID 872 wrote to memory of 1508 872 Windowsdef.exe 90 PID 872 wrote to memory of 1508 872 Windowsdef.exe 90 PID 872 wrote to memory of 1508 872 Windowsdef.exe 90 PID 872 wrote to memory of 3696 872 Windowsdef.exe 91 PID 872 wrote to memory of 3696 872 Windowsdef.exe 91 PID 872 wrote to memory of 3696 872 Windowsdef.exe 91 PID 872 wrote to memory of 3364 872 Windowsdef.exe 92 PID 872 wrote to memory of 3364 872 Windowsdef.exe 92 PID 872 wrote to memory of 3364 872 Windowsdef.exe 92 PID 3460 wrote to memory of 2068 3460 cmd.exe 97 PID 3460 wrote to memory of 2068 3460 cmd.exe 97 PID 3460 wrote to memory of 2068 3460 cmd.exe 97 PID 3696 wrote to memory of 4444 3696 cmd.exe 98 PID 3696 wrote to memory of 4444 3696 cmd.exe 98 PID 3696 wrote to memory of 4444 3696 cmd.exe 98 PID 1508 wrote to memory of 2388 1508 cmd.exe 99 PID 1508 wrote to memory of 2388 1508 cmd.exe 99 PID 1508 wrote to memory of 2388 1508 cmd.exe 99 PID 3364 wrote to memory of 2352 3364 cmd.exe 100 PID 3364 wrote to memory of 2352 3364 cmd.exe 100 PID 3364 wrote to memory of 2352 3364 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe"C:\Users\Admin\AppData\Local\Temp\707b9bcb9f91c510825dee9fdcfe9e50ce21b6febecbc050056a0b2882f3ccb3N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jgpor.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDef" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1516
-
-
-
C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe"C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exeC:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2068
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2388
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4444
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2352
-
-
-
-
C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exeC:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2292
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5130a1ad614bfc1851533b7a02e302622
SHA16cd68d0bacb7b24ca9baedc80d90f1bfca3bb92c
SHA2564620f5f49d3f3c3fcb10d7dd83e5fdc0b2efd44ae429ee5a8dc3e64d76e6bc9a
SHA51216b5e40deb2e66287b86bbff11ac986f36b94a5849fbe2ed7124296e95d563ec0e9b00cbd6008c993c383d1610d371177faf5a9cd5da77a34a778e901f9e7a25
-
Filesize
2.0MB
MD5c3344d288a916353466bf9d78d133b12
SHA18373424d644015bfecc19e0717e1a5c9359b5c56
SHA256378d88667cf64252fcdcc958d27e026f67ee3b650929f915b6af411759c6b128
SHA512b5862cf04983614b3cbfeaebe83e5090fc5b70c9e6b4bce0d4d05de2dc2fee9523134a34db484a466f35c3147121dce117143af739e0fa2397153749feff7b86