Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 20:26
Static task
static1
Behavioral task
behavioral1
Sample
5956d4f7e7ee67784eb1144040e52b5d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5956d4f7e7ee67784eb1144040e52b5d.exe
Resource
win10v2004-20231222-en
General
-
Target
5956d4f7e7ee67784eb1144040e52b5d.exe
-
Size
2.3MB
-
MD5
5956d4f7e7ee67784eb1144040e52b5d
-
SHA1
de6fb74735924dcf2463719652a9197b83dfff08
-
SHA256
3bd79a5e14e5c1d9d33230d737e40c877c1bcf5eaa750fbf15eb9791b88a544c
-
SHA512
d0a3069288fac6a86f476c0de03cf9d3174e4a3603519e6d20022335334741b0f2e101988e0c1770d8bbc3acf592618490e29598f549765dc67c4e8a6852a30c
-
SSDEEP
49152:U5+hFCjbRCWEiyOqB9XNusVlAHrj6zjWxiz8lVHTIioOFZQ+Z:U5aF8CMY/3luOWxiqZ7Z
Malware Config
Extracted
redline
@kosmostarsz
77.220.214.232:13459
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x0006000000023222-62.dat family_redline behavioral2/files/0x0006000000023222-64.dat family_redline behavioral2/memory/4320-65-0x00000000004A0000-0x00000000004BE000-memory.dmp family_redline -
SectopRAT payload 4 IoCs
resource yara_rule behavioral2/files/0x0006000000023222-62.dat family_sectoprat behavioral2/files/0x0006000000023222-64.dat family_sectoprat behavioral2/memory/4320-65-0x00000000004A0000-0x00000000004BE000-memory.dmp family_sectoprat behavioral2/memory/4320-74-0x0000000004E60000-0x0000000004E70000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 5956d4f7e7ee67784eb1144040e52b5d.exe -
Executes dropped EXE 9 IoCs
pid Process 4464 7z.exe 3868 7z.exe 760 7z.exe 3320 7z.exe 1580 7z.exe 4120 7z.exe 2312 7z.exe 2932 7z.exe 4320 @kosmostarsz.exe -
Loads dropped DLL 8 IoCs
pid Process 4464 7z.exe 3868 7z.exe 760 7z.exe 3320 7z.exe 1580 7z.exe 4120 7z.exe 2312 7z.exe 2932 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeRestorePrivilege 4464 7z.exe Token: 35 4464 7z.exe Token: SeSecurityPrivilege 4464 7z.exe Token: SeSecurityPrivilege 4464 7z.exe Token: SeRestorePrivilege 3868 7z.exe Token: 35 3868 7z.exe Token: SeSecurityPrivilege 3868 7z.exe Token: SeSecurityPrivilege 3868 7z.exe Token: SeRestorePrivilege 760 7z.exe Token: 35 760 7z.exe Token: SeSecurityPrivilege 760 7z.exe Token: SeSecurityPrivilege 760 7z.exe Token: SeRestorePrivilege 3320 7z.exe Token: 35 3320 7z.exe Token: SeSecurityPrivilege 3320 7z.exe Token: SeSecurityPrivilege 3320 7z.exe Token: SeRestorePrivilege 1580 7z.exe Token: 35 1580 7z.exe Token: SeSecurityPrivilege 1580 7z.exe Token: SeSecurityPrivilege 1580 7z.exe Token: SeRestorePrivilege 4120 7z.exe Token: 35 4120 7z.exe Token: SeSecurityPrivilege 4120 7z.exe Token: SeSecurityPrivilege 4120 7z.exe Token: SeRestorePrivilege 2312 7z.exe Token: 35 2312 7z.exe Token: SeSecurityPrivilege 2312 7z.exe Token: SeSecurityPrivilege 2312 7z.exe Token: SeRestorePrivilege 2932 7z.exe Token: 35 2932 7z.exe Token: SeSecurityPrivilege 2932 7z.exe Token: SeSecurityPrivilege 2932 7z.exe Token: SeDebugPrivilege 4320 @kosmostarsz.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4364 wrote to memory of 5012 4364 5956d4f7e7ee67784eb1144040e52b5d.exe 91 PID 4364 wrote to memory of 5012 4364 5956d4f7e7ee67784eb1144040e52b5d.exe 91 PID 5012 wrote to memory of 2300 5012 cmd.exe 93 PID 5012 wrote to memory of 2300 5012 cmd.exe 93 PID 5012 wrote to memory of 4464 5012 cmd.exe 94 PID 5012 wrote to memory of 4464 5012 cmd.exe 94 PID 5012 wrote to memory of 3868 5012 cmd.exe 95 PID 5012 wrote to memory of 3868 5012 cmd.exe 95 PID 5012 wrote to memory of 760 5012 cmd.exe 105 PID 5012 wrote to memory of 760 5012 cmd.exe 105 PID 5012 wrote to memory of 3320 5012 cmd.exe 104 PID 5012 wrote to memory of 3320 5012 cmd.exe 104 PID 5012 wrote to memory of 1580 5012 cmd.exe 103 PID 5012 wrote to memory of 1580 5012 cmd.exe 103 PID 5012 wrote to memory of 4120 5012 cmd.exe 102 PID 5012 wrote to memory of 4120 5012 cmd.exe 102 PID 5012 wrote to memory of 2312 5012 cmd.exe 101 PID 5012 wrote to memory of 2312 5012 cmd.exe 101 PID 5012 wrote to memory of 2932 5012 cmd.exe 97 PID 5012 wrote to memory of 2932 5012 cmd.exe 97 PID 5012 wrote to memory of 4696 5012 cmd.exe 98 PID 5012 wrote to memory of 4696 5012 cmd.exe 98 PID 5012 wrote to memory of 4320 5012 cmd.exe 100 PID 5012 wrote to memory of 4320 5012 cmd.exe 100 PID 5012 wrote to memory of 4320 5012 cmd.exe 100 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4696 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe"C:\Users\Admin\AppData\Local\Temp\5956d4f7e7ee67784eb1144040e52b5d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"2⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\system32\mode.commode 65,103⤵PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e file.zip -p___________7524pwd5130pwd785___________ -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_7.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\system32\attrib.exeattrib +H "@kosmostarsz.exe"3⤵
- Views/modifies file attributes
PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\@kosmostarsz.exe"@kosmostarsz.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_5.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_6.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
315KB
MD5aabf2342fbbd5cfd999aae351ec2fe21
SHA1bad5a3306830d911d1c65fa77fab656db366bfb9
SHA256e06e4fe13ed36e122ff56f4b95089786bbad844bc1e945cd3c723726a978d9db
SHA51224b17323bcf239ae75fe6f3076e5a5ef6c75ad58a5ed2b424c75c2bfd1b66b8c087a85acaf6093d69514340b058b0bd9b81c100eff7ca784fe0ce5c332594470
-
Filesize
393KB
MD5ebaaaed537bf78c4b96c5fa4799e84b5
SHA1efa5b609c4bf09337a37a41c424c48bc69ae857d
SHA256faf1c25432b3df909ed5727f4f6ab089524b3a986eb06bd8a359f31d5b16a181
SHA5127d48ded85adb591e12b3dfcab9c93d325be0a641346bccc41f8871464aec2874aff9c41aba53e506c23c4d60084550dc53b56c14c1b3d6514640cc5f6c0957f5
-
Filesize
259KB
MD5e8a4c9de0f949d04ee235e540e4ac709
SHA1901016b16e2fb0c9cf60957b46307e2130fdee68
SHA256fa285f77e9883ab6b852ac41511e4da5059b4f8849551c2ed5ace15b9272fa4d
SHA5122df8e89c925e2de8516bee0bb4c2f9503b572cc812362f6358acacf5456f9f0ac6ee330f609bff7c1601716a9d216b49fd33c9d2ea5033331108d4451c83ae43
-
Filesize
191KB
MD5a020df2cca4d6b6c9310b93041ff3bcf
SHA1690b31ea15015f6927c29b3c4eec05e3f238cea7
SHA256a78107ee7e531829793cea070d4dd1147e55ac094c11650253ed3f29310c92e7
SHA512916ff477051c03fa50114d0f6cef98d34f5ab9234f8662d956b5fd1475a4bd7947e1067a55dd29263324dd5fd24dce037286cff8160feca079fe0d458741e7c7
-
Filesize
293KB
MD58e22d1cd637cfa265080e9e934215bcb
SHA18536343e75dab2e6addac7cfb821d32bd92bd93b
SHA256d16cbd6dc52794496e6a6b4dbec85f42a62591c2e07c3f9cc6baa215771a427c
SHA5123fae3e7ea464fe4d1e6a709aaffbc13b196b4501e7d1ac1ce69e59933b4d7358ef01f27064111862e2deb315d257cb9c8d1de5d5bbb67ea3c3e42e36c17cdc25
-
Filesize
147KB
MD5794ac33482582da0a5c73c23105f0353
SHA163a20d342a71ac3bcb40b690b0d80cef2c2274a4
SHA256e624e3731efaf44dc46066a36041f86cfedad076114b48f77ca3002c3ff283bf
SHA51294428282c30b131d9e5e83b1f2ab570b894484f4c237695f2b6985fc0f8c57d7abc15bae9d598d714b7861ec00c108cd67c72e45b74c3fdc69b74b6c6a04b63b
-
Filesize
226KB
MD509b2481338c7830b1a200a328ec05692
SHA15c73508ce2ce02d4f376336f9268af6f8150d81b
SHA256d702d677e797510d04bae289540c2e3cbd5e412d776f0548f1bb6a02a8dfdc6e
SHA512741b8be92095a67b2349420bb391a323e1f77d4d105b42fc8c609e3ac15e572fbdaeee088510724700be42569c892710c86266984cd4ba7307eb5bb4e0e13e7b
-
Filesize
88KB
MD5571a840491869137a87a7ac0a7e0524e
SHA1f63881a331fa2b33d610356e0f10b083fa02e177
SHA2567b2b2afd3320b8eded5127853160ace90e0dddb061bafaaa1c678cfc63c983c8
SHA51289ee0748639fe894b8cae81170e8eee73bb78e049e5e03dc16abf018cd5fecc18467dd2c8bbb9427fce2f2e2c5964e91fef40128c51dbeb63dace2620b1e8532
-
Filesize
130KB
MD52be7829ce2c94d82a3840936c985e81a
SHA18792abd3d1c89a065ea4e3b1e9131c327bc36328
SHA25639b6cfcdc4eb80184ea56ea685fce4328cc402c09f7acc0b244f5e9ca9952696
SHA512783280b3fa62e4fc6ce362cb4ab7190cd4b568dc2306ed7560c07f894ed71d221e36608b20d7f5f8a682e8dfdfd7e5cc7defe8b3093d88ef9ff8829f4860d0a7
-
Filesize
341KB
MD517449cf312563702700ca13925f546df
SHA1735e0d249c9f3cddfb84288e25d0027567eab5d3
SHA256428707fe99de202cb8e9343f1e9b40e3feb8d0217cd33d5b9269eac2ff5fcfb1
SHA5126b5d866bc6b25dfb1a19caba91c6436dfbc2344b7deb61ceb0a058281fc15f90da4a1a8c70405a4d6fb9b0d8e96fd9e352b81b4990609a30e5cb9a728b5a7c65
-
Filesize
298KB
MD560dd51a113f7c59c8cb7d975fb3ce1bb
SHA17c166c5ecf691d51e8fe468ef5420dd3535fff4e
SHA2567cb9bc7e35613fbbd5cb8cae2566d3ab6d0192e9d25b1658b084f4c69965bb9a
SHA512883dc6d532ae0e3e951685a1c55a673928b58768d44c64baabd7d4c464417987fc42a57e5b1904d06993784ff53c96e9602f0a97196bec1014319a3eaa813dfd
-
Filesize
264KB
MD5272520df89b16371b2de80ae861ce4d4
SHA1af41a73613ec1c68f276bcb40ff88315feedc899
SHA2566f940e74a901825053ec6176d86d9bfa61a0fee626f16e49839786078000bb10
SHA512ed8ea939ca81c8d697d5ce1accc2ca6789a521284c94f352d2e952df8ea7c25b55e6b21ee26db9ddbafde91a711635d6561b9f9aaebb3bca6f7d5a7b071fcf25
-
Filesize
307KB
MD56081a041416699f0606424a86a827abd
SHA15a766d99e0ea0b789cdd3ad49059ce512a8fc02d
SHA2560935ba31283d4125f392768c9210789188e51b2c634789526341d25b26647b84
SHA512e2926da67fb45a580b8509567480203acf01bf1c5dfebd783dc30b064a864ac3d39ac1052d6ecf3eab975c53872586ce0e7ae5de69e4c3350430fce14592fd1d
-
Filesize
191KB
MD506e89058c666c455057603a09d5d29c3
SHA1011e7f85f637472653807e6f586bcde571c33cf3
SHA256243668a94daaa6bb247589cef5ed29249841d01dbe7655366404264492181569
SHA5127a68a8ecaf6b9cddbcd500c78fb0f9b8c360f0086b43a5e5a2806197c11a1e4888a34be9dcb938ca59357da0135c15738e2906ba035d33c820dee71014e6cb9e
-
Filesize
341KB
MD5ada9331f25ee68f15b29de14bf381da3
SHA1a75bfddf8127cd4bcc6006ad5a6476f68014029a
SHA2560944552cd52987e24e06e1ab812014cf2f7061b7e8470346500b707ea6a44a8f
SHA51262ad31209a71bd22998cea0c17fce59bea92ffa742169d1d59aa8c0508dc1694dcc97c000799d9a11a1fa89b107b69fd65889de66c05f67e07ee4948398bde90
-
Filesize
233KB
MD5607471b7dd28d862af3d0c2311311ad2
SHA1c4ddaa39f442badf1ce87802ec9b0616b2e3bad1
SHA256f55b90c22d34539af3950f251938dc7e531a1cbc1ccbf52944c4eea7cce97386
SHA5122e65dd35a29a81dc582b8753bf0d7f730b493d19ae1efb8e6480b81fdfdf8f40d6598a87241787f69816e2993cbec9dba34af8765804002a2c229d8c53779ca5
-
Filesize
134KB
MD554c131cde7d4fa79a7e68cd7328475ed
SHA12fa0f6c0bc12baa1736140b3af5ae88a0b176c6d
SHA2568322a11134a05b75331f6eb8532399e13ec302a280a7005e2db8aa3084b73ddb
SHA51239067f6bf01e49662ff9ed91273eaec8c0ccd6c0ecfa80a320fbf31d5d11a5da1d57a85d2171e435a9d1dae87abe980e15fef8a257d1de6f1e756d560d5ca3e4
-
Filesize
199KB
MD5cd18885674529ab83a18279a060c3f37
SHA1bfdcf9220f26ba003fc2d5c0ce6b13ed5df3608e
SHA256bc5d3ca9dd4e302696e34c4ff74382f86fcba451ae874aac6288b24ad4ab8bb0
SHA512b2a8c6da262c829b6ae360f6187fde3cf4a56efe72eec1ff003e379cde66010e1cd7b529ed4ce5f8df8b1eaff119178fc2974d6c3e03873e52594920537c2e76
-
Filesize
74KB
MD539aa2a315408cfbbbe49883a518ba2f0
SHA1478935da3ccebd9ce1e8197aeb914b4d267f2af6
SHA256db7b9aaf29da71def8db2f1fa7beddb8c478e435053de710c53a7f4904d95061
SHA51265ea338501bb7926bfd558a26ab8bea772b10cc74a89b3d63b6184494b2437da3a6d3ae4da54188cd518e75177ab0f960acb60ff68847db6c4f1cd316178a3cc
-
Filesize
100KB
MD56a787a34b097237f3739f08be4b3e39e
SHA1d979dd7c02d80677c30315d8c58ac0cdf29960ad
SHA2563c0d90ae7ea976edcf777dcfe4e89b9b44b3c6a9ae3a07c06149632f75f5bc42
SHA51201fa4e74cb48e085a20bab002a8bdeea42007ad415b7b6682efd28649ec3f5dc62c893f4da036a5838ef6a37c77900fe0a26052d5bc47be606cf495e262d5b15
-
Filesize
273KB
MD5ede0e34c216d4cf7edd87eb5efec2430
SHA1232942a370e40a83ac88ca2ebd224dd02aa9814c
SHA256596a6ef55bc229719082a7170b01fae3a1ca4e5f65b03a1142929d028f6c48c3
SHA512976e9f834f88d8683af147c5e74a50811071e0476fad79c65f9df795dbaea615d5e4ffd1379c1a46095a262630397f017722f8c366729c3a7b5824e07a17e890
-
Filesize
40KB
MD535986967c70d3d917dcc7b48a3333f70
SHA117b5eb8f675308ab196c507ac31515604b811d1a
SHA256a01fdedfdbcd10210b3f32cffbcb6e8592ca1a0fb1ff15517ea668380eab2a0a
SHA5126148ddc6f69deb17d4b84ef14a3a6e43b75304f2b1bb0498fba8a4ae666d753eda602e10d6017c044e0652cb32acaa4715339666d1f39bf04a80b6ae9b70d46a
-
Filesize
40KB
MD5fc947be1e2936ab19132b0a2e9273cf1
SHA150d59332ec8878661eba457a90e93bff6342c035
SHA256128a5605da18aca664deed7059d24e06bed6d7e28e30c8a3e35af7d2322dddcf
SHA51280d80e8c63709f7bddc9f1297e41eb6ab8e0647709893a8e434d5657dc6879e5075a5082d345c46c3b111ce70492adb00833d60e8e3bb4915eb26da0189c8248
-
Filesize
40KB
MD54f9d323b4010c4756e7c23e00c016f04
SHA10720ab2eae766221e9073070b3512210dff14775
SHA256cafa915ce9cf8a5857941066caf7799d877d9a5d55fde72dce059c7dc74537fe
SHA512216a9d08c418f1c115199e0d4c0ba0e62ca05f4f15e6d0ac6cfb89b9c9c32bc286333031492fa00423e141311d4cbc1d9ff861e4d0865554b994cc7edd83db7d
-
Filesize
41KB
MD54bdf4e0eccfb4b953a4a882a12cc8128
SHA13402aaa7c349e8211cb5a14cc9e84e4496b2d61e
SHA256c3cd186249147de119c1944b4cc9416ca94af95ce4505353ab50dac54fb8197d
SHA5126ba178fa8cc97a7181c0cb667dda34a2d848237fc30f9f5932dfe12d3c61fa238c5602416ea285bcecaa2684c1c9804fe8d1f364521c3c76216b7afa99379718
-
Filesize
41KB
MD511ca0d3ad67ab953a087c784e55359c7
SHA1ed0afd402a62f50a8c45f851acf44c40843a2cc0
SHA256bc3e6da2f38eae41d5e72d2adc22af21d087d13ed53866ab63c5a2dc5fae6b09
SHA51264a8feda34c6f7151b94532f374d7740d0d4a605df1807248b7aefc5e6e963d2b6c7484bba4e737d13b0c9c76bbb3e17137633a30a1c1ae5628247965075c3ed
-
Filesize
41KB
MD5b160972741741f13ff1a675cf5f90189
SHA1d04a6d2bc33e95d9c7ac1996f3d755e0b018fb7d
SHA256fcb40b104e234ac18357146d87b2a5089e5a9cf0194c1e8405cca0338fbb2b98
SHA512739eba6788194368f0abb5050800bcceea82f5c17162de6394743eab4d286b96226a874d37f54e0d486812ee29ccc95909df9238746c8c025af0c46efd14926b
-
Filesize
170KB
MD58351001ec8738c0b2bf81f8b5ac3c5b2
SHA1d999d1b6e342690a26426e81bc42b5edfaf8fabf
SHA256d9cd94025fb45aa96c01dde44be87059814618a9e907e31306507e43e969867d
SHA51260792f919bcfff0a5b31a1be8101ec70e9d12a8305ad7a9dc2e565bd4a0c87ee88e111fa5161e840733ef2a0c6e3e1845079c3988a558fa90dc52159da80e3df
-
Filesize
816KB
MD50aa81c8e040ba6aaf6c0b0ed4b41dd39
SHA11834993aae92cfc643d45791a036d7b11235ea8f
SHA256e98211a17028c5a1d7fd96b2bf2b30843335fa87d7d2baed52c583061a2ecf31
SHA5121ebcc4dae791623905330eca7d0bb847d1dbf7f22d298d84919453930ca89aa35c4331a8c88429dc86403da8ef627f8c9240e88b7b43c33eb195ea82c4ec6103
-
Filesize
511B
MD51d7b05e211d49a88d01c05889b868722
SHA175a005a63c322ffc539a8580eb7dc88fe8f06a76
SHA25634be809068ccfee8ec7c49787034ad5b16bbbe98074e797cbf4bc07d71484487
SHA512b1de87bc31eedb8ae7dc08ba43b8db4334610e7af84f31ea4d61aec9946f4f3b35f0d312582d490c636c0ebb5b4747e8535e87fa00ed67949558075009efc2a0