Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 07:48
Static task
static1
Behavioral task
behavioral1
Sample
Para Transferi Bilgilendirmesi-dekont.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Para Transferi Bilgilendirmesi-dekont.exe
Resource
win10v2004-20231127-en
General
-
Target
Para Transferi Bilgilendirmesi-dekont.exe
-
Size
893KB
-
MD5
21d1df1da2e98a9ab9268712b8448e84
-
SHA1
37c3233503068ba139bddcd9569ebaa068265590
-
SHA256
a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db
-
SHA512
b6eda1358566719b0bd5923caad17d3f678b816eff8bc613a1930ec0f83fe8a4ea65194a15ebf2fb1458b8889b369483e19107eac955e0ea0c380ff3c456bd63
-
SSDEEP
24576:K5xolYQY65XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA:dYkXXXXXXXXXXXXXXXXXXXXXXXXXXXXQ
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.aksumer.com - Port:
21 - Username:
aksumerc - Password:
211116.kS*-
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/892-87-0x0000000000330000-0x0000000000348000-memory.dmp family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe -
Executes dropped EXE 8 IoCs
Processes:
para transferi bilgilendirmesi-dekont.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepara transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exepid process 892 para transferi bilgilendirmesi-dekont.exe 2732 icsys.icn.exe 2916 explorer.exe 2692 spoolsv.exe 2592 svchost.exe 2500 spoolsv.exe 1656 para transferi bilgilendirmesi-dekont.exe 1052 para transferi bilgilendirmesi-dekont.exe -
Loads dropped DLL 13 IoCs
Processes:
Para Transferi Bilgilendirmesi-dekont.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exepara transferi bilgilendirmesi-dekont.exepid process 1464 Para Transferi Bilgilendirmesi-dekont.exe 1464 Para Transferi Bilgilendirmesi-dekont.exe 1464 Para Transferi Bilgilendirmesi-dekont.exe 2732 icsys.icn.exe 2732 icsys.icn.exe 2916 explorer.exe 2916 explorer.exe 2692 spoolsv.exe 2692 spoolsv.exe 2592 svchost.exe 2592 svchost.exe 892 para transferi bilgilendirmesi-dekont.exe 892 para transferi bilgilendirmesi-dekont.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
para transferi bilgilendirmesi-dekont.exedescription pid process target process PID 892 set thread context of 1052 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe -
Drops file in Windows directory 6 IoCs
Processes:
spoolsv.exeexplorer.exesvchost.exeicsys.icn.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exepid process 2732 icsys.icn.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2916 explorer.exe 2592 svchost.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe 2592 svchost.exe 2916 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2916 explorer.exe 2592 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exedescription pid process Token: SeDebugPrivilege 892 para transferi bilgilendirmesi-dekont.exe Token: SeDebugPrivilege 1052 para transferi bilgilendirmesi-dekont.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
Para Transferi Bilgilendirmesi-dekont.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepara transferi bilgilendirmesi-dekont.exepid process 1464 Para Transferi Bilgilendirmesi-dekont.exe 1464 Para Transferi Bilgilendirmesi-dekont.exe 2732 icsys.icn.exe 2732 icsys.icn.exe 2916 explorer.exe 2916 explorer.exe 2692 spoolsv.exe 2692 spoolsv.exe 2592 svchost.exe 2592 svchost.exe 2500 spoolsv.exe 2500 spoolsv.exe 2916 explorer.exe 2916 explorer.exe 1052 para transferi bilgilendirmesi-dekont.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
Para Transferi Bilgilendirmesi-dekont.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exepara transferi bilgilendirmesi-dekont.exedescription pid process target process PID 1464 wrote to memory of 892 1464 Para Transferi Bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 1464 wrote to memory of 892 1464 Para Transferi Bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 1464 wrote to memory of 892 1464 Para Transferi Bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 1464 wrote to memory of 892 1464 Para Transferi Bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 1464 wrote to memory of 2732 1464 Para Transferi Bilgilendirmesi-dekont.exe icsys.icn.exe PID 1464 wrote to memory of 2732 1464 Para Transferi Bilgilendirmesi-dekont.exe icsys.icn.exe PID 1464 wrote to memory of 2732 1464 Para Transferi Bilgilendirmesi-dekont.exe icsys.icn.exe PID 1464 wrote to memory of 2732 1464 Para Transferi Bilgilendirmesi-dekont.exe icsys.icn.exe PID 2732 wrote to memory of 2916 2732 icsys.icn.exe explorer.exe PID 2732 wrote to memory of 2916 2732 icsys.icn.exe explorer.exe PID 2732 wrote to memory of 2916 2732 icsys.icn.exe explorer.exe PID 2732 wrote to memory of 2916 2732 icsys.icn.exe explorer.exe PID 2916 wrote to memory of 2692 2916 explorer.exe spoolsv.exe PID 2916 wrote to memory of 2692 2916 explorer.exe spoolsv.exe PID 2916 wrote to memory of 2692 2916 explorer.exe spoolsv.exe PID 2916 wrote to memory of 2692 2916 explorer.exe spoolsv.exe PID 2692 wrote to memory of 2592 2692 spoolsv.exe svchost.exe PID 2692 wrote to memory of 2592 2692 spoolsv.exe svchost.exe PID 2692 wrote to memory of 2592 2692 spoolsv.exe svchost.exe PID 2692 wrote to memory of 2592 2692 spoolsv.exe svchost.exe PID 2592 wrote to memory of 2500 2592 svchost.exe spoolsv.exe PID 2592 wrote to memory of 2500 2592 svchost.exe spoolsv.exe PID 2592 wrote to memory of 2500 2592 svchost.exe spoolsv.exe PID 2592 wrote to memory of 2500 2592 svchost.exe spoolsv.exe PID 2592 wrote to memory of 1048 2592 svchost.exe at.exe PID 2592 wrote to memory of 1048 2592 svchost.exe at.exe PID 2592 wrote to memory of 1048 2592 svchost.exe at.exe PID 2592 wrote to memory of 1048 2592 svchost.exe at.exe PID 892 wrote to memory of 1656 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1656 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1656 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1656 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1052 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1052 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1052 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1052 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1052 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1052 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1052 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1052 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 892 wrote to memory of 1052 892 para transferi bilgilendirmesi-dekont.exe para transferi bilgilendirmesi-dekont.exe PID 2592 wrote to memory of 1336 2592 svchost.exe at.exe PID 2592 wrote to memory of 1336 2592 svchost.exe at.exe PID 2592 wrote to memory of 1336 2592 svchost.exe at.exe PID 2592 wrote to memory of 1336 2592 svchost.exe at.exe PID 2592 wrote to memory of 2600 2592 svchost.exe at.exe PID 2592 wrote to memory of 2600 2592 svchost.exe at.exe PID 2592 wrote to memory of 2600 2592 svchost.exe at.exe PID 2592 wrote to memory of 2600 2592 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Para Transferi Bilgilendirmesi-dekont.exe"C:\Users\Admin\AppData\Local\Temp\Para Transferi Bilgilendirmesi-dekont.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe"c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe"c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe "3⤵
- Executes dropped EXE
PID:1656 -
\??\c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe"c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe "3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1052 -
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2500 -
C:\Windows\SysWOW64\at.exeat 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:1048
-
C:\Windows\SysWOW64\at.exeat 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:1336
-
C:\Windows\SysWOW64\at.exeat 07:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2600
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD5cef1aa1ee74f6a2a28044171206a2796
SHA142d14accd64b2dc044307805736805489a903dd1
SHA256c480463abc1e73e04ecc270d5c5fcc8775e9e383b1ad7774bda69869de5b4d8a
SHA5122afcf9b0cd67051c98a8c1dcd5390204217056688fec615f3f458a38a3250401f17fee254375580a95730e751d43ace9379eeffa09207da8da98de6393debd36
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
619KB
MD54783d50da091b2f50da381fd4a7b8e2d
SHA1f9504f9cd2695f0ac818596f250a4fe1ef7ca866
SHA25635eee52488a800617b5ba6e6b01f3de68cd89a248c078fcc8126fdb7e7849dfd
SHA512396c4d55da768d43d238607b7e3ad46ce325ed906843245b03f56503498c451509d495c65672bde0d42833a45a77df762a715f15151937d5aa88ad3c78ad84f0
-
Filesize
274KB
MD514b830b4552f61582f4440b712ee9af2
SHA174b5d677e14341d51af472a8673415fc1080896d
SHA2565291cc6ac0d6d64f6f93bfd1bf9e6a13ab9f343e343a599e1bcd718dc8549d3f
SHA512224ea6ea3a34f67646ed4aa6e515f6baefe26df371db94cbde2df1988987d7300638f22b9e898cec93466b40060b148f6b149fe75081e38fd001bf0f3334e86b
-
Filesize
274KB
MD5725d21c558da9d5b59a17fb50d20818d
SHA1f9cf43bbd58cd2b4804ddbd6b89655e08280e299
SHA256c1c0f3e5f4ecaf4823b56fa63b82128b5b23381713f5cb88eb08bc58c36ec9e8
SHA5128468bc7f8e8a92e81a429a5af5d04a21acdee7ccad449322db2c66d4de4220338148ea09edc55cddde20ee81582b35e99bf1de99afe0fd712534838bec62f337
-
Filesize
274KB
MD54d0ce7408bcefada54781f8f526e9ffb
SHA17a252c77035f6fcff43684667ddd3bfc07b3a965
SHA25617af968ba041b618f56dbb864278330d1ca5654f8e9f63d97452fbc8d4895f65
SHA512df35ae429ad6dcc479c53bac9b1010da8b35c8187411ca8c99bc8a9f4f275e64a207196d866bba4b7c8bd8d7bdb8fe74c0c6aecf25b5a3ba1332fc1732a161bf
-
Filesize
274KB
MD501c17645364a0357a3c3587119a2a53a
SHA1ecc184c6b773b32c4d62b9ba49249f2963405afd
SHA2563c60d00e10fb5d7d1532ca96de414e3ef77cadeb20e604879edd015e75d0f0dc
SHA512b5a99490a17feb06ac414084f7e76befcc1391b426efd06e68284693139e118d02fe41f9e1755db96d3bcdbe370707398ba4238d7ac281e8753df74c14c2dfa7