Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 04:39
Behavioral task
behavioral1
Sample
d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe
Resource
win10v2004-20220812-en
General
-
Target
d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe
-
Size
267KB
-
MD5
06e2f2b76a12acc1673f3bc5d2b6e0dd
-
SHA1
823a535162560825c1b766f40049acf2c0fdfbbb
-
SHA256
d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da
-
SHA512
f75069e7fbeb0242240ca2aa161c27b6bad7f4152a2e31fd65b467c5b545d095e7d5448404591233d954ace9d952441979154525420edee31c360ae8984598bf
-
SSDEEP
6144:XbfO3SlNyTkyhlx0kRujRYO4VYAtHJ3DFLjxIE++/gAxcbibMoS6:LfIST8kk0kMlCPTvXxKXoS6
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 3 IoCs
pid Process 1712 winlogon.exe 1364 winlogon.exe 1168 winlogon.exe -
resource yara_rule upx behavioral1/memory/816-56-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral1/files/0x000800000001420e-61.dat upx behavioral1/files/0x000800000001420e-62.dat upx behavioral1/files/0x000800000001420e-64.dat upx behavioral1/files/0x000800000001420e-65.dat upx behavioral1/files/0x000800000001420e-63.dat upx behavioral1/files/0x000800000001420e-67.dat upx behavioral1/memory/816-68-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral1/files/0x000800000001420e-71.dat upx behavioral1/memory/1712-72-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral1/memory/1364-73-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/1364-77-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/files/0x000800000001420e-75.dat upx behavioral1/memory/1364-78-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/1168-80-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/1712-85-0x0000000000400000-0x000000000057E000-memory.dmp upx behavioral1/files/0x000800000001420e-83.dat upx behavioral1/memory/1168-86-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/1168-88-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/1364-101-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/1168-100-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/1364-103-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1712 set thread context of 1364 1712 winlogon.exe 31 PID 1712 set thread context of 1168 1712 winlogon.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
pid Process 880 reg.exe 1312 reg.exe 1584 reg.exe 1900 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 1168 winlogon.exe Token: 1 1364 winlogon.exe Token: SeCreateTokenPrivilege 1364 winlogon.exe Token: SeAssignPrimaryTokenPrivilege 1364 winlogon.exe Token: SeLockMemoryPrivilege 1364 winlogon.exe Token: SeIncreaseQuotaPrivilege 1364 winlogon.exe Token: SeMachineAccountPrivilege 1364 winlogon.exe Token: SeTcbPrivilege 1364 winlogon.exe Token: SeSecurityPrivilege 1364 winlogon.exe Token: SeTakeOwnershipPrivilege 1364 winlogon.exe Token: SeLoadDriverPrivilege 1364 winlogon.exe Token: SeSystemProfilePrivilege 1364 winlogon.exe Token: SeSystemtimePrivilege 1364 winlogon.exe Token: SeProfSingleProcessPrivilege 1364 winlogon.exe Token: SeIncBasePriorityPrivilege 1364 winlogon.exe Token: SeCreatePagefilePrivilege 1364 winlogon.exe Token: SeCreatePermanentPrivilege 1364 winlogon.exe Token: SeBackupPrivilege 1364 winlogon.exe Token: SeRestorePrivilege 1364 winlogon.exe Token: SeShutdownPrivilege 1364 winlogon.exe Token: SeDebugPrivilege 1364 winlogon.exe Token: SeAuditPrivilege 1364 winlogon.exe Token: SeSystemEnvironmentPrivilege 1364 winlogon.exe Token: SeChangeNotifyPrivilege 1364 winlogon.exe Token: SeRemoteShutdownPrivilege 1364 winlogon.exe Token: SeUndockPrivilege 1364 winlogon.exe Token: SeSyncAgentPrivilege 1364 winlogon.exe Token: SeEnableDelegationPrivilege 1364 winlogon.exe Token: SeManageVolumePrivilege 1364 winlogon.exe Token: SeImpersonatePrivilege 1364 winlogon.exe Token: SeCreateGlobalPrivilege 1364 winlogon.exe Token: 31 1364 winlogon.exe Token: 32 1364 winlogon.exe Token: 33 1364 winlogon.exe Token: 34 1364 winlogon.exe Token: 35 1364 winlogon.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 1712 winlogon.exe 1364 winlogon.exe 1364 winlogon.exe 1168 winlogon.exe 1364 winlogon.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 816 wrote to memory of 1736 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 27 PID 816 wrote to memory of 1736 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 27 PID 816 wrote to memory of 1736 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 27 PID 816 wrote to memory of 1736 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 27 PID 1736 wrote to memory of 960 1736 cmd.exe 29 PID 1736 wrote to memory of 960 1736 cmd.exe 29 PID 1736 wrote to memory of 960 1736 cmd.exe 29 PID 1736 wrote to memory of 960 1736 cmd.exe 29 PID 816 wrote to memory of 1712 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 30 PID 816 wrote to memory of 1712 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 30 PID 816 wrote to memory of 1712 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 30 PID 816 wrote to memory of 1712 816 d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe 30 PID 1712 wrote to memory of 1364 1712 winlogon.exe 31 PID 1712 wrote to memory of 1364 1712 winlogon.exe 31 PID 1712 wrote to memory of 1364 1712 winlogon.exe 31 PID 1712 wrote to memory of 1364 1712 winlogon.exe 31 PID 1712 wrote to memory of 1364 1712 winlogon.exe 31 PID 1712 wrote to memory of 1364 1712 winlogon.exe 31 PID 1712 wrote to memory of 1364 1712 winlogon.exe 31 PID 1712 wrote to memory of 1364 1712 winlogon.exe 31 PID 1712 wrote to memory of 1364 1712 winlogon.exe 31 PID 1712 wrote to memory of 1168 1712 winlogon.exe 32 PID 1712 wrote to memory of 1168 1712 winlogon.exe 32 PID 1712 wrote to memory of 1168 1712 winlogon.exe 32 PID 1712 wrote to memory of 1168 1712 winlogon.exe 32 PID 1712 wrote to memory of 1168 1712 winlogon.exe 32 PID 1712 wrote to memory of 1168 1712 winlogon.exe 32 PID 1712 wrote to memory of 1168 1712 winlogon.exe 32 PID 1712 wrote to memory of 1168 1712 winlogon.exe 32 PID 1712 wrote to memory of 1168 1712 winlogon.exe 32 PID 1364 wrote to memory of 672 1364 winlogon.exe 33 PID 1364 wrote to memory of 672 1364 winlogon.exe 33 PID 1364 wrote to memory of 672 1364 winlogon.exe 33 PID 1364 wrote to memory of 672 1364 winlogon.exe 33 PID 1364 wrote to memory of 1996 1364 winlogon.exe 34 PID 1364 wrote to memory of 1996 1364 winlogon.exe 34 PID 1364 wrote to memory of 1996 1364 winlogon.exe 34 PID 1364 wrote to memory of 1996 1364 winlogon.exe 34 PID 1364 wrote to memory of 1188 1364 winlogon.exe 36 PID 1364 wrote to memory of 1188 1364 winlogon.exe 36 PID 1364 wrote to memory of 1188 1364 winlogon.exe 36 PID 1364 wrote to memory of 1188 1364 winlogon.exe 36 PID 1364 wrote to memory of 1704 1364 winlogon.exe 39 PID 1364 wrote to memory of 1704 1364 winlogon.exe 39 PID 1364 wrote to memory of 1704 1364 winlogon.exe 39 PID 1364 wrote to memory of 1704 1364 winlogon.exe 39 PID 1996 wrote to memory of 1312 1996 cmd.exe 41 PID 1996 wrote to memory of 1312 1996 cmd.exe 41 PID 1996 wrote to memory of 1312 1996 cmd.exe 41 PID 1996 wrote to memory of 1312 1996 cmd.exe 41 PID 672 wrote to memory of 1584 672 cmd.exe 42 PID 672 wrote to memory of 1584 672 cmd.exe 42 PID 672 wrote to memory of 1584 672 cmd.exe 42 PID 672 wrote to memory of 1584 672 cmd.exe 42 PID 1704 wrote to memory of 1900 1704 cmd.exe 43 PID 1704 wrote to memory of 1900 1704 cmd.exe 43 PID 1704 wrote to memory of 1900 1704 cmd.exe 43 PID 1704 wrote to memory of 1900 1704 cmd.exe 43 PID 1188 wrote to memory of 880 1188 cmd.exe 44 PID 1188 wrote to memory of 880 1188 cmd.exe 44 PID 1188 wrote to memory of 880 1188 cmd.exe 44 PID 1188 wrote to memory of 880 1188 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe"C:\Users\Admin\AppData\Local\Temp\d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\LAGLG.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe" /f3⤵
- Adds Run key to start application
PID:960
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Roaming\winlogon.exewinlogon.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1584
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1312
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1900
-
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1168
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD54da6717f2c70f4bd32ad33a227a2ff47
SHA13d7f7159e1f695bd469287d1ad4ffa0841b407a8
SHA256a12bb2e5d2fb0b3c400ce311fae72995a00b57a97d23e4b9effec47cff189d07
SHA5126765314054ad9bf2164058248f3d3a17775176925abbe4376aec030dca3a5e59be8b9e96139941fec2b2e1a9bff38f87abdb29ea09a299d8ab7e23ecec4083df
-
Filesize
267KB
MD5b64e24180fac6fb2213979c9a865a793
SHA1fe91a76f2008b762584eea35cc54e08ca0a72c35
SHA256f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76
SHA5120c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112
-
Filesize
267KB
MD5b64e24180fac6fb2213979c9a865a793
SHA1fe91a76f2008b762584eea35cc54e08ca0a72c35
SHA256f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76
SHA5120c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112
-
Filesize
267KB
MD5b64e24180fac6fb2213979c9a865a793
SHA1fe91a76f2008b762584eea35cc54e08ca0a72c35
SHA256f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76
SHA5120c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112
-
Filesize
267KB
MD5b64e24180fac6fb2213979c9a865a793
SHA1fe91a76f2008b762584eea35cc54e08ca0a72c35
SHA256f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76
SHA5120c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112
-
Filesize
267KB
MD5b64e24180fac6fb2213979c9a865a793
SHA1fe91a76f2008b762584eea35cc54e08ca0a72c35
SHA256f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76
SHA5120c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112
-
Filesize
267KB
MD5b64e24180fac6fb2213979c9a865a793
SHA1fe91a76f2008b762584eea35cc54e08ca0a72c35
SHA256f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76
SHA5120c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112
-
Filesize
267KB
MD5b64e24180fac6fb2213979c9a865a793
SHA1fe91a76f2008b762584eea35cc54e08ca0a72c35
SHA256f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76
SHA5120c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112
-
Filesize
267KB
MD5b64e24180fac6fb2213979c9a865a793
SHA1fe91a76f2008b762584eea35cc54e08ca0a72c35
SHA256f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76
SHA5120c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112
-
Filesize
267KB
MD5b64e24180fac6fb2213979c9a865a793
SHA1fe91a76f2008b762584eea35cc54e08ca0a72c35
SHA256f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76
SHA5120c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112