Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
17/07/2023, 15:39 UTC
Static task
static1
Behavioral task
behavioral1
Sample
awdawcawdawdaw.dll
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
awdawcawdawdaw.dll
Resource
win10v2004-20230703-en
General
-
Target
awdawcawdawdaw.dll
-
Size
364KB
-
MD5
7205f7a87ae43f2a44e957da375ec737
-
SHA1
c0f05bf3fac27fa03fdc19fae2d4bbd1e9c44132
-
SHA256
318440d1fdbe2178d0c00f259b27430b1d6951de2b436157d8ad2139a30f62b4
-
SHA512
be0c6174a8fff24043e7c4c19c37cf71cb751d33476d15e1cf29fa7ce1f6e993f0cae8c5ec02a96f1e75b1f909f9e94a6c4d6267bdb7dec88cadb9bf3ecdc4e2
-
SSDEEP
6144:xKwmzKKeCO9UAhB++UcyBhc9SsSSWNPXfer7EGjvlBRuncqXxCtHx:xKVwBewwcy7sIXfeEGj0zs
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4408 set thread context of 3840 4408 rundll32.exe 85 PID 464 set thread context of 3636 464 rundll32.exe 111 -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 1592 ipconfig.exe 2076 netstat.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3840 SearchProtocolHost.exe 3840 SearchProtocolHost.exe 3368 PowerShell.exe 3368 PowerShell.exe 3636 SearchProtocolHost.exe 3636 SearchProtocolHost.exe 3840 SearchProtocolHost.exe 3840 SearchProtocolHost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4408 rundll32.exe 464 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 3368 PowerShell.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 4624 whoami.exe Token: SeDebugPrivilege 2076 netstat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4916 wrote to memory of 4408 4916 rundll32.exe 83 PID 4916 wrote to memory of 4408 4916 rundll32.exe 83 PID 4916 wrote to memory of 4408 4916 rundll32.exe 83 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85 PID 4408 wrote to memory of 3840 4408 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\awdawcawdawdaw.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\awdawcawdawdaw.dll,#12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3840 -
C:\Windows\SysWOW64\whoami.exewhoami.exe /all4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /all4⤵
- Gathers network information
PID:1592
-
-
C:\Windows\SysWOW64\netstat.exenetstat.exe -aon4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3412
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" .\awdawcawdawdaw.dll,watchdog2⤵PID:1712
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" .\awdawcawdawdaw.dll,watchdog3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:464 -
C:\Windows\SysWOW64\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3636
-
-
-
Network
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request158.240.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request75.121.18.2.in-addr.arpaIN PTRResponse75.121.18.2.in-addr.arpaIN PTRa2-18-121-75deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request1.202.248.87.in-addr.arpaIN PTRResponse1.202.248.87.in-addr.arpaIN PTRhttps-87-248-202-1amsllnwnet
-
Remote address:8.8.8.8:53Requestassets.msn.comIN AResponseassets.msn.comIN CNAMEassets.msn.com.edgekey.netassets.msn.com.edgekey.netIN CNAMEe28578.d.akamaiedge.nete28578.d.akamaiedge.netIN A95.101.74.90e28578.d.akamaiedge.netIN A95.101.74.111
-
GEThttps://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=fdc286b0-51d9-4d1f-928d-67aa7780b571&ocid=windows-windowsShell-feeds&user=m-0929d3a238cc47ce8673f69c6eefd7d2&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtaskRemote address:95.101.74.90:443RequestGET /serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=fdc286b0-51d9-4d1f-928d-67aa7780b571&ocid=windows-windowsShell-feeds&user=m-0929d3a238cc47ce8673f69c6eefd7d2&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtask HTTP/2.0
host: assets.msn.com
x-search-account: None
accept-encoding: gzip, deflate
x-device-machineid: {D12C4634-8E54-424E-85E7-7D0A6A197942}
x-userageclass: Unknown
x-bm-market: US
x-bm-dateformat: M/d/yyyy
x-device-ossku: 48
x-bm-dtz: 0
x-deviceid: 0100B2E609000CC3
x-bm-windowsflights: FX:119E26AD,FX:11D898D7,FX:11DB147C,FX:11DE505A,FX:11E11E97,FX:11E3E2BA,FX:11E50151,FX:11E9EE98,FX:11F1992A,FX:11F4161E,FX:11F41B68,FX:11FB0F2F,FX:1201B330,FX:1202B7FC,FX:120BB68E,FX:121A20E1,FX:121BF15F,FX:121E5EC8,FX:122D8E86,FX:123031A3,FX:1231B88B,FX:123371B1,FX:1233C945,FX:123D7C31,FX:1240013C,FX:1246E4A3,FX:1248306D,FX:124B38D0,FX:1250080B,FX:125A7FDA,FX:1264FA75,FX:126DBC22,FX:127159BE,FX:12769734,FX:127C935B,FX:127DC03A,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5
sitename: www.msn.com
x-bm-theme: 000000;0078d7
muid: 0929D3A238CC47CE8673F69C6EEFD7D2
x-agent-deviceid: 0100B2E609000CC3
x-bm-onlinesearchdisabled: true
x-bm-cbt: 1689608438
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.2.19041; 10.0.0.0.19041.1288) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
x-device-isoptin: false
accept-language: en-US, en
x-device-touch: false
x-device-clientsession: 1FF65AEA883942BBBEAAAA1DC80ABCC4
cookie: MUID=0929D3A238CC47CE8673F69C6EEFD7D2
ResponseHTTP/2.0 200
server: Kestrel
access-control-allow-credentials: true
access-control-allow-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
access-control-allow-methods: PUT,PATCH,POST,GET,OPTIONS,DELETE
access-control-allow-origin: *.msn.com
access-control-expose-headers: TicketType,RequestContinuationKey,AuthToken,Content-Type,x-client-activityid,ms-cv,signedInCookieName,muid,appid,User-Location,user-location,userauthtoken,usertickettype,sitename,s2sauthtoken,thumbprint,Authorization,Ent-Authorization,UserIdToken,DDD-TMPL,DDD-ActivityId,DDD-FeatureSet,DDD-Session-ID,Date,date,ads-referer,ads-referer,taboola-sessionId,taboola-sessionid,Akamai-Request-ID,Akamai-Server-IP,X-MSEdge-Ref,DDD-DebugId,s-xbox-token,OneWebServiceLatency,X-FD-Features,DDD-UserType,traceparent
content-encoding: gzip
ddd-authenticatedwithjwtflow: False
ddd-usertype: AnonymousMuid
ddd-tmpl: daucoldcap:1;tbn:0;coldStartUpsell:1;coldStart:1;lowT:0;BingRecoCode:Success;lowC:0;IsRecoNewUser:1;SageUser:0;winbadge:1;partialResponse:1
ddd-feednewsitemcount: 1
x-wpo-activityid: A48E65B4-6A7D-46B1-9ACD-ACA6A18EF09A|2023-07-17T15:40:39.9249578Z|fabric:/wpo|FRC|WPO_67
ddd-activityid: a48e65b4-6a7d-46b1-9acd-aca6a18ef09a
ddd-strategyexecutionlatency: 00:00:00.1487112
ddd-debugid: a48e65b4-6a7d-46b1-9acd-aca6a18ef09a|2023-07-17T15:40:39.9323674Z|fabric:/winfeed|FRC|WinFeed_584
onewebservicelatency: 149
x-msedge-responseinfo: 149
x-ceto-ref: 64b560f7d5de47988b2a6f031f3b4edc|2023-07-17T15:40:39.772Z
expires: Mon, 17 Jul 2023 15:40:39 GMT
date: Mon, 17 Jul 2023 15:40:39 GMT
content-length: 1509
akamai-request-bc: [a=95.101.55.26,b=960422614,c=g,n=NL__SCHIPHOL,o=20940],[a=20.74.25.147,c=o]
server-timing: clientrtt; dur=18, clienttt; dur=166, origin; dur=165 , cdntime; dur=1
akamai-cache-status: Miss from child
akamai-server-ip: 95.101.55.26
akamai-request-id: 393ee2d6
x-as-suppresssetcookie: 1
cache-control: private, max-age=0
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://deff.nelreports.net/api/report?cat=msn"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":0.1}
timing-allow-origin: *
vary: Origin
-
Remote address:8.8.8.8:53Request90.74.101.95.in-addr.arpaIN PTRResponse90.74.101.95.in-addr.arpaIN PTRa95-101-74-90deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
POSThttps://192.9.135.73:1194/retuse/7Yt6SaQ38ArzJv7gV?bamboo=5b116Xt89x6TvA0&InhabitancyFrondiferous=GD6J3LOOGEaph1&IdioticRelatedly=14t9ZQASearchProtocolHost.exeRemote address:192.9.135.73:1194RequestPOST /retuse/7Yt6SaQ38ArzJv7gV?bamboo=5b116Xt89x6TvA0&InhabitancyFrondiferous=GD6J3LOOGEaph1&IdioticRelatedly=14t9ZQA HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8
Host: 192.9.135.73:1194
Content-Length: 18132
Cache-Control: no-cache
ResponseHTTP/1.1 404 Not Found
Date: Mon, 17 Jul 2023 15:41:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 232
Connection: keep-alive
-
Remote address:8.8.8.8:53Request73.135.9.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request6.173.189.20.in-addr.arpaIN PTRResponse
-
95.101.74.90:443https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=fdc286b0-51d9-4d1f-928d-67aa7780b571&ocid=windows-windowsShell-feeds&user=m-0929d3a238cc47ce8673f69c6eefd7d2&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtasktls, http22.7kB 10.6kB 21 19
HTTP Request
GET https://assets.msn.com/serviceak/v1/news/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&activityId=fdc286b0-51d9-4d1f-928d-67aa7780b571&ocid=windows-windowsShell-feeds&user=m-0929d3a238cc47ce8673f69c6eefd7d2&Treatment=T6&MaximumDimensions=660x640&experience=Taskbar&AppVersion=1&osLocale=en-US&caller=bgtaskHTTP Response
200 -
192.9.135.73:1194https://192.9.135.73:1194/retuse/7Yt6SaQ38ArzJv7gV?bamboo=5b116Xt89x6TvA0&InhabitancyFrondiferous=GD6J3LOOGEaph1&IdioticRelatedly=14t9ZQAtls, httpSearchProtocolHost.exe33.4kB 3.3kB 32 11
HTTP Request
POST https://192.9.135.73:1194/retuse/7Yt6SaQ38ArzJv7gV?bamboo=5b116Xt89x6TvA0&InhabitancyFrondiferous=GD6J3LOOGEaph1&IdioticRelatedly=14t9ZQAHTTP Response
404
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
133.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
158.240.127.40.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
75.121.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
208.194.73.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
1.202.248.87.in-addr.arpa
-
60 B 166 B 1 1
DNS Request
assets.msn.com
DNS Response
95.101.74.9095.101.74.111
-
71 B 135 B 1 1
DNS Request
90.74.101.95.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
71 B 146 B 1 1
DNS Request
73.135.9.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
6.173.189.20.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82