Analysis
-
max time kernel
124s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 18:22
Static task
static1
Behavioral task
behavioral1
Sample
49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
Resource
win10v2004-20220901-en
General
-
Target
49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe
-
Size
222KB
-
MD5
02a69354c57dbbc3c39cc463efff5b5a
-
SHA1
b00657df7a66d3d344a023a725bff6908b8ce784
-
SHA256
49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d
-
SHA512
b6bf45607c5f9b68f3f546a516e8a551f7bbe27bc4e60261b8d972a580e7a34ab6e97f675ea26ac985627d51cd1f75c203a0ba7807bd2110922f329b0c8e3cee
-
SSDEEP
3072:obpDCw1p3vmLvsZIaVwiwDcIbDHDCm/DER4eQaYG:gDCwfG1bnxLERRNYG
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IYMUGYHL = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IYMUGYHL = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IYMUGYHL = "W_X_C.bat" WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 2412 avscan.exe 64 avscan.exe 1356 hosts.exe 4716 hosts.exe 4520 avscan.exe 3196 hosts.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run hosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created \??\c:\windows\W_X_C.bat 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe File opened for modification C:\Windows\hosts.exe 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe File created C:\windows\W_X_C.vbs 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 9 IoCs
pid Process 2228 REG.exe 1692 REG.exe 2172 REG.exe 2760 REG.exe 3900 REG.exe 4184 REG.exe 360 REG.exe 2580 REG.exe 4000 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2412 avscan.exe 4716 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4812 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe 2412 avscan.exe 64 avscan.exe 4716 hosts.exe 1356 hosts.exe 4520 avscan.exe 3196 hosts.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 4812 wrote to memory of 2228 4812 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe 80 PID 4812 wrote to memory of 2228 4812 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe 80 PID 4812 wrote to memory of 2228 4812 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe 80 PID 4812 wrote to memory of 2412 4812 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe 82 PID 4812 wrote to memory of 2412 4812 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe 82 PID 4812 wrote to memory of 2412 4812 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe 82 PID 2412 wrote to memory of 64 2412 avscan.exe 83 PID 2412 wrote to memory of 64 2412 avscan.exe 83 PID 2412 wrote to memory of 64 2412 avscan.exe 83 PID 2412 wrote to memory of 1796 2412 avscan.exe 84 PID 2412 wrote to memory of 1796 2412 avscan.exe 84 PID 2412 wrote to memory of 1796 2412 avscan.exe 84 PID 4812 wrote to memory of 4640 4812 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe 85 PID 4812 wrote to memory of 4640 4812 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe 85 PID 4812 wrote to memory of 4640 4812 49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe 85 PID 4640 wrote to memory of 1356 4640 cmd.exe 89 PID 4640 wrote to memory of 1356 4640 cmd.exe 89 PID 4640 wrote to memory of 1356 4640 cmd.exe 89 PID 1796 wrote to memory of 4716 1796 cmd.exe 88 PID 1796 wrote to memory of 4716 1796 cmd.exe 88 PID 1796 wrote to memory of 4716 1796 cmd.exe 88 PID 4716 wrote to memory of 4520 4716 hosts.exe 91 PID 4716 wrote to memory of 4520 4716 hosts.exe 91 PID 4716 wrote to memory of 4520 4716 hosts.exe 91 PID 4716 wrote to memory of 1840 4716 hosts.exe 92 PID 4716 wrote to memory of 1840 4716 hosts.exe 92 PID 4716 wrote to memory of 1840 4716 hosts.exe 92 PID 4640 wrote to memory of 4680 4640 cmd.exe 94 PID 4640 wrote to memory of 4680 4640 cmd.exe 94 PID 4640 wrote to memory of 4680 4640 cmd.exe 94 PID 1840 wrote to memory of 3196 1840 cmd.exe 96 PID 1840 wrote to memory of 3196 1840 cmd.exe 96 PID 1840 wrote to memory of 3196 1840 cmd.exe 96 PID 1796 wrote to memory of 4308 1796 cmd.exe 95 PID 1796 wrote to memory of 4308 1796 cmd.exe 95 PID 1796 wrote to memory of 4308 1796 cmd.exe 95 PID 1840 wrote to memory of 3376 1840 cmd.exe 97 PID 1840 wrote to memory of 3376 1840 cmd.exe 97 PID 1840 wrote to memory of 3376 1840 cmd.exe 97 PID 2412 wrote to memory of 1692 2412 avscan.exe 105 PID 2412 wrote to memory of 1692 2412 avscan.exe 105 PID 2412 wrote to memory of 1692 2412 avscan.exe 105 PID 4716 wrote to memory of 360 4716 hosts.exe 107 PID 4716 wrote to memory of 360 4716 hosts.exe 107 PID 4716 wrote to memory of 360 4716 hosts.exe 107 PID 2412 wrote to memory of 2172 2412 avscan.exe 109 PID 2412 wrote to memory of 2172 2412 avscan.exe 109 PID 2412 wrote to memory of 2172 2412 avscan.exe 109 PID 4716 wrote to memory of 2760 4716 hosts.exe 111 PID 4716 wrote to memory of 2760 4716 hosts.exe 111 PID 4716 wrote to memory of 2760 4716 hosts.exe 111 PID 2412 wrote to memory of 3900 2412 avscan.exe 113 PID 2412 wrote to memory of 3900 2412 avscan.exe 113 PID 2412 wrote to memory of 3900 2412 avscan.exe 113 PID 4716 wrote to memory of 4184 4716 hosts.exe 115 PID 4716 wrote to memory of 4184 4716 hosts.exe 115 PID 4716 wrote to memory of 4184 4716 hosts.exe 115 PID 2412 wrote to memory of 2580 2412 avscan.exe 117 PID 2412 wrote to memory of 2580 2412 avscan.exe 117 PID 2412 wrote to memory of 2580 2412 avscan.exe 117 PID 4716 wrote to memory of 4000 4716 hosts.exe 119 PID 4716 wrote to memory of 4000 4716 hosts.exe 119 PID 4716 wrote to memory of 4000 4716 hosts.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe"C:\Users\Admin\AppData\Local\Temp\49d8995d916d70954f10342a02df7615946cf813fed31134ce40bfd43637261d.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:64
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3196
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
PID:3376
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:360
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:2760
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:4184
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:4000
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:4308
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1692
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2172
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:3900
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1356
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:4680
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5104
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222KB
MD5c409fa603b199ac1399bce510daf09c0
SHA177eee3e39d2d3ff4551d7fee72843e9c8ec9ea1a
SHA256f21e778facefffe9a86fb39fad9561114bf7317255e6882ab0624c09b58d07c1
SHA512c267cdca0c40149e018eea5ae57d800a0f7664d2fa782653b9c715476d7512572e7472b05addfbdbb0792ff1501d3d33af15a1a1398d38f269cbe0f1e2c3bcb0
-
Filesize
222KB
MD5c409fa603b199ac1399bce510daf09c0
SHA177eee3e39d2d3ff4551d7fee72843e9c8ec9ea1a
SHA256f21e778facefffe9a86fb39fad9561114bf7317255e6882ab0624c09b58d07c1
SHA512c267cdca0c40149e018eea5ae57d800a0f7664d2fa782653b9c715476d7512572e7472b05addfbdbb0792ff1501d3d33af15a1a1398d38f269cbe0f1e2c3bcb0
-
Filesize
222KB
MD5c409fa603b199ac1399bce510daf09c0
SHA177eee3e39d2d3ff4551d7fee72843e9c8ec9ea1a
SHA256f21e778facefffe9a86fb39fad9561114bf7317255e6882ab0624c09b58d07c1
SHA512c267cdca0c40149e018eea5ae57d800a0f7664d2fa782653b9c715476d7512572e7472b05addfbdbb0792ff1501d3d33af15a1a1398d38f269cbe0f1e2c3bcb0
-
Filesize
222KB
MD5c409fa603b199ac1399bce510daf09c0
SHA177eee3e39d2d3ff4551d7fee72843e9c8ec9ea1a
SHA256f21e778facefffe9a86fb39fad9561114bf7317255e6882ab0624c09b58d07c1
SHA512c267cdca0c40149e018eea5ae57d800a0f7664d2fa782653b9c715476d7512572e7472b05addfbdbb0792ff1501d3d33af15a1a1398d38f269cbe0f1e2c3bcb0
-
Filesize
195B
MD50e0483d4802632100b6bfe8bc2e5d661
SHA1767e0deb7dcaa7676004e6053957c36cecfeeefa
SHA25681bbebb8d0e77ffffbc7b7d24afdcdce4089f4b04d1a12284eda861c25e03f9f
SHA5128279b0559ca30a0adc6c8614870c3e445866c20f0617a7153cab41982b451dfe9ea44478f37b884465235714623ef26a56f5ea3d1cb81767487c494d3703ab29
-
Filesize
222KB
MD5c8f847784a302ecf6caadc4c185fa89c
SHA108223476702bd3ee9d4e3ac2d7a2f6f58d5aac69
SHA256e89df70b4c80f8e8623377e156bc04f1a0b5ebeaa58e78e92526f0971ad19ae4
SHA5123bac7347472545ec89270aa6d866b85d83d46d84f002a9c29fbcc57b66cdbee08bbdbe43fea067284cb8bfa9356bd6dabdc4d4727fed74814358f0d8c31525ef
-
Filesize
222KB
MD5c8f847784a302ecf6caadc4c185fa89c
SHA108223476702bd3ee9d4e3ac2d7a2f6f58d5aac69
SHA256e89df70b4c80f8e8623377e156bc04f1a0b5ebeaa58e78e92526f0971ad19ae4
SHA5123bac7347472545ec89270aa6d866b85d83d46d84f002a9c29fbcc57b66cdbee08bbdbe43fea067284cb8bfa9356bd6dabdc4d4727fed74814358f0d8c31525ef
-
Filesize
222KB
MD5c8f847784a302ecf6caadc4c185fa89c
SHA108223476702bd3ee9d4e3ac2d7a2f6f58d5aac69
SHA256e89df70b4c80f8e8623377e156bc04f1a0b5ebeaa58e78e92526f0971ad19ae4
SHA5123bac7347472545ec89270aa6d866b85d83d46d84f002a9c29fbcc57b66cdbee08bbdbe43fea067284cb8bfa9356bd6dabdc4d4727fed74814358f0d8c31525ef
-
Filesize
222KB
MD5c8f847784a302ecf6caadc4c185fa89c
SHA108223476702bd3ee9d4e3ac2d7a2f6f58d5aac69
SHA256e89df70b4c80f8e8623377e156bc04f1a0b5ebeaa58e78e92526f0971ad19ae4
SHA5123bac7347472545ec89270aa6d866b85d83d46d84f002a9c29fbcc57b66cdbee08bbdbe43fea067284cb8bfa9356bd6dabdc4d4727fed74814358f0d8c31525ef
-
Filesize
222KB
MD5c8f847784a302ecf6caadc4c185fa89c
SHA108223476702bd3ee9d4e3ac2d7a2f6f58d5aac69
SHA256e89df70b4c80f8e8623377e156bc04f1a0b5ebeaa58e78e92526f0971ad19ae4
SHA5123bac7347472545ec89270aa6d866b85d83d46d84f002a9c29fbcc57b66cdbee08bbdbe43fea067284cb8bfa9356bd6dabdc4d4727fed74814358f0d8c31525ef
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b