Analysis
-
max time kernel
115s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/06/2023, 19:32
Static task
static1
Behavioral task
behavioral1
Sample
a27b6bfb8e6aef454395cbab2bdf7cd1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
a27b6bfb8e6aef454395cbab2bdf7cd1.exe
Resource
win10v2004-20230220-en
General
-
Target
a27b6bfb8e6aef454395cbab2bdf7cd1.exe
-
Size
552KB
-
MD5
a27b6bfb8e6aef454395cbab2bdf7cd1
-
SHA1
4a60125f0964f4992471c37d606fb0fdb4d98eb6
-
SHA256
8022060ef633e157518037122a6003813cc0a3066d456a1164275a211efc8f5c
-
SHA512
5bf76dbfe740cfa7a78c65a9d51ecc0c120a828baa683a336b73cbb3b58ef2765759f186cd082adc04675c0bfe20c9b252074dadaa148ab67debc5ac74922d57
-
SSDEEP
12288:F8ENlAKnykvnA6NkSo3wtfVx9Edm3pd4bOjxeEUYQc5aYWyQ0h75:SENlF4rRqfVxQGp7jN5aBWV5
Malware Config
Extracted
C:\Program Files\Java\jdk1.7.0_80\db\Restore-My-Files.txt
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
https://bigblog.at
http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion
http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion
https://decoding.at
Signatures
-
Lockbit
Ransomware family with multiple variants released since late 2019.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2700 bcdedit.exe 2776 bcdedit.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\UnprotectSuspend.tiff => C:\users\admin\pictures\unprotectsuspend.tiff.lockbit a27b6bfb8e6aef454395cbab2bdf7cd1.exe File renamed C:\Users\Admin\Pictures\LimitProtect.png => C:\users\admin\pictures\limitprotect.png.lockbit a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\users\admin\pictures\unprotectsuspend.tiff a27b6bfb8e6aef454395cbab2bdf7cd1.exe File renamed C:\Users\Admin\Pictures\AddSync.raw => C:\users\admin\pictures\addsync.raw.lockbit a27b6bfb8e6aef454395cbab2bdf7cd1.exe File renamed C:\Users\Admin\Pictures\ResolveJoin.raw => C:\users\admin\pictures\resolvejoin.raw.lockbit a27b6bfb8e6aef454395cbab2bdf7cd1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a27b6bfb8e6aef454395cbab2bdf7cd1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\{38AC233C-9696-277B-92F6-9248B95182A7} = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a27b6bfb8e6aef454395cbab2bdf7cd1.exe\"" a27b6bfb8e6aef454395cbab2bdf7cd1.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\windows\SysWOW64\B3ACB0.ico a27b6bfb8e6aef454395cbab2bdf7cd1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
pid Process 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0101859.bmp a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\lines\bd14710_.gif a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\7-zip\lang\io.txt a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\deploy\messages_zh_tw.properties a27b6bfb8e6aef454395cbab2bdf7cd1.exe File created C:\program files\java\jre7\lib\ext\Restore-My-Files.txt a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\windows sidebar\gadgets\clock.gadget\images\settings_divider_left.png a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\templates\1033\access\part\users.accdt a27b6bfb8e6aef454395cbab2bdf7cd1.exe File created C:\program files\java\jre7\lib\jfr\Restore-My-Files.txt a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\mozilla firefox\gmp-clearkey\0.1\manifest.json a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0107182.wmf a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms4\formsstyles\graycheck\header.gif a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\square.png a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\deploy.jar a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jre7\lib\plugin.jar a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\media\office14\bullets\bd14790_.gif a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\navigationup_buttongraphic.png a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\rarotonga a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_cn.jar a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\videolan\vlc\lua\http\css\main.css a27b6bfb8e6aef454395cbab2bdf7cd1.exe File created C:\program files\java\jre7\lib\zi\europe\Restore-My-Files.txt a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\commondata\commsincomingimagemasksmall.bmp a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\novelty_s.png a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\windows sidebar\gadgets\currency.gadget\fr-fr\js\library.js a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0107744.wmf a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\na02423_.wmf a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jre7\lib\zi\europe\oslo a27b6bfb8e6aef454395cbab2bdf7cd1.exe File created C:\program files\microsoft games\freecell\en-us\Restore-My-Files.txt a27b6bfb8e6aef454395cbab2bdf7cd1.exe File created C:\program files\videolan\vlc\locale\hu\lc_messages\Restore-My-Files.txt a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\pagesize\pglbl087.xml a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\sign98.poc a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jre7\lib\zi\indian\cocos a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0086432.wmf a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\parnt_04.mid a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\powerpnt.dev_col.hxc a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\xlintl32.rest.idx_dll a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\pubwiz\dgad.dpv a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\omml2mml.xsl a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\oldage\1047x576black.png a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\europe\luxembourg a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jre7\lib\zi\etc\gmt a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\windows sidebar\gadgets\currency.gadget\en-us\currency.html a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-modules-uihandler.xml a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-netbeans-swing-outline.xml a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\videolan\vlc\locale\vi\lc_messages\vlc.mo a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\dd00121_.wmf a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms\view.css a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveprojecttoolset\circleiconsmask.bmp a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\antarctica\vostok a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\etc\gmt-11 a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jre7\lib\zi\pacific\pitcairn a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\reader\plug_ins\spelling.api a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\microsoft office\office14\mso example setup file a.txt a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\na01064_.wmf a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\form_edit.js a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\indiana\winamac a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\platform\config\modules\org-openide-util-enumerations.xml a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\office14\1033\winword_f_col.hxk a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\windows mail\ja-jp\winmail.exe.mui a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\hong_kong a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar a27b6bfb8e6aef454395cbab2bdf7cd1.exe File opened for modification C:\program files (x86)\microsoft office\clipart\pub60cor\j0188587.wmf a27b6bfb8e6aef454395cbab2bdf7cd1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1684 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \Registry\Machine\Software\Classes\.lockbit a27b6bfb8e6aef454395cbab2bdf7cd1.exe Key created \Registry\Machine\Software\Classes\.lockbit\DefaultIcon a27b6bfb8e6aef454395cbab2bdf7cd1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lockbit\DefaultIcon\ = "C:\\windows\\SysWow64\\B3ACB0.ico" a27b6bfb8e6aef454395cbab2bdf7cd1.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe Token: SeDebugPrivilege 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe Token: SeBackupPrivilege 1384 vssvc.exe Token: SeRestorePrivilege 1384 vssvc.exe Token: SeAuditPrivilege 1384 vssvc.exe Token: SeIncreaseQuotaPrivilege 2476 WMIC.exe Token: SeSecurityPrivilege 2476 WMIC.exe Token: SeTakeOwnershipPrivilege 2476 WMIC.exe Token: SeLoadDriverPrivilege 2476 WMIC.exe Token: SeSystemProfilePrivilege 2476 WMIC.exe Token: SeSystemtimePrivilege 2476 WMIC.exe Token: SeProfSingleProcessPrivilege 2476 WMIC.exe Token: SeIncBasePriorityPrivilege 2476 WMIC.exe Token: SeCreatePagefilePrivilege 2476 WMIC.exe Token: SeBackupPrivilege 2476 WMIC.exe Token: SeRestorePrivilege 2476 WMIC.exe Token: SeShutdownPrivilege 2476 WMIC.exe Token: SeDebugPrivilege 2476 WMIC.exe Token: SeSystemEnvironmentPrivilege 2476 WMIC.exe Token: SeRemoteShutdownPrivilege 2476 WMIC.exe Token: SeUndockPrivilege 2476 WMIC.exe Token: SeManageVolumePrivilege 2476 WMIC.exe Token: 33 2476 WMIC.exe Token: 34 2476 WMIC.exe Token: 35 2476 WMIC.exe Token: SeIncreaseQuotaPrivilege 2476 WMIC.exe Token: SeSecurityPrivilege 2476 WMIC.exe Token: SeTakeOwnershipPrivilege 2476 WMIC.exe Token: SeLoadDriverPrivilege 2476 WMIC.exe Token: SeSystemProfilePrivilege 2476 WMIC.exe Token: SeSystemtimePrivilege 2476 WMIC.exe Token: SeProfSingleProcessPrivilege 2476 WMIC.exe Token: SeIncBasePriorityPrivilege 2476 WMIC.exe Token: SeCreatePagefilePrivilege 2476 WMIC.exe Token: SeBackupPrivilege 2476 WMIC.exe Token: SeRestorePrivilege 2476 WMIC.exe Token: SeShutdownPrivilege 2476 WMIC.exe Token: SeDebugPrivilege 2476 WMIC.exe Token: SeSystemEnvironmentPrivilege 2476 WMIC.exe Token: SeRemoteShutdownPrivilege 2476 WMIC.exe Token: SeUndockPrivilege 2476 WMIC.exe Token: SeManageVolumePrivilege 2476 WMIC.exe Token: 33 2476 WMIC.exe Token: 34 2476 WMIC.exe Token: 35 2476 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2028 wrote to memory of 1876 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 29 PID 2028 wrote to memory of 1876 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 29 PID 2028 wrote to memory of 1876 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 29 PID 2028 wrote to memory of 1876 2028 a27b6bfb8e6aef454395cbab2bdf7cd1.exe 29 PID 1876 wrote to memory of 1684 1876 cmd.exe 31 PID 1876 wrote to memory of 1684 1876 cmd.exe 31 PID 1876 wrote to memory of 1684 1876 cmd.exe 31 PID 1876 wrote to memory of 2476 1876 cmd.exe 34 PID 1876 wrote to memory of 2476 1876 cmd.exe 34 PID 1876 wrote to memory of 2476 1876 cmd.exe 34 PID 1876 wrote to memory of 2700 1876 cmd.exe 36 PID 1876 wrote to memory of 2700 1876 cmd.exe 36 PID 1876 wrote to memory of 2700 1876 cmd.exe 36 PID 1876 wrote to memory of 2776 1876 cmd.exe 37 PID 1876 wrote to memory of 2776 1876 cmd.exe 37 PID 1876 wrote to memory of 2776 1876 cmd.exe 37 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a27b6bfb8e6aef454395cbab2bdf7cd1.exe"C:\Users\Admin\AppData\Local\Temp\a27b6bfb8e6aef454395cbab2bdf7cd1.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1684
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2700
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2776
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD58575439672cccc34f3f8a64bc31676b6
SHA1ae91934ab355c33099e3448e8a317fb989f6d59a
SHA25603ed6d27609b899446ed6fb4826286e36326e8e43c121e296e3bc4e32b977530
SHA5125d12e5e9c13c462102bf7af1efdd857f92dd117587dfbc05a36fb126ec10fcd45906cf1f76e3e823c37fa89d094f785ab41c3e47ccc476372b234845f83aedb4