Overview
overview
10Static
static
3magic.pois...lk.dat
windows10-2004-x64
3magic.pois...ed.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...cs.hta
windows10-2004-x64
10magic.pois...nt.pdf
windows10-2004-x64
1magic.pois...zg.wav
windows10-2004-x64
6magic.pois...pt.exe
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10magic.pois...es.hta
windows10-2004-x64
10magic.pois...im.vdf
windows10-2004-x64
3magic.pois...ck.wav
windows10-2004-x64
1magic.pois...ff.dat
windows10-2004-x64
3magic.pois...IB.pdf
windows10-2004-x64
1magic.pois...pt.exe
windows10-2004-x64
10magic.pois...ty.wav
windows10-2004-x64
1magic.pois...ye.wav
windows10-2004-x64
6magic.pois...er.exe
windows10-2004-x64
10magic.pois...vw.mp4
windows10-2004-x64
6magic.pois...op.mp4
windows10-2004-x64
6magic.pois...ed.hta
windows10-2004-x64
10magic.pois...ng.exe
windows10-2004-x64
10magic.pois...wn.png
windows10-2004-x64
3magic.pois...ox.hta
windows10-2004-x64
10magic.pois...xw.exe
windows10-2004-x64
10magic.pois...xw.hta
windows10-2004-x64
10magic.pois...pt.exe
windows10-2004-x64
10Analysis
-
max time kernel
128s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
magic.poisontoolz.com/Avjteuhlk.dat
Resource
win10v2004-20231215-en
Behavioral task
behavioral2
Sample
magic.poisontoolz.com/Binded.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
magic.poisontoolz.com/Buildcrypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
magic.poisontoolz.com/Docs.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
magic.poisontoolz.com/Document.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral6
Sample
magic.poisontoolz.com/Evllmzg.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
magic.poisontoolz.com/File1crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral8
Sample
magic.poisontoolz.com/File2crypt.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
magic.poisontoolz.com/Files.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral10
Sample
magic.poisontoolz.com/Jafxaspdhim.vdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
magic.poisontoolz.com/Otcck.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral12
Sample
magic.poisontoolz.com/Pphucxdmff.dat
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
magic.poisontoolz.com/RIB.pdf
Resource
win10v2004-20231215-en
Behavioral task
behavioral14
Sample
magic.poisontoolz.com/RagCrypt.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral15
Sample
magic.poisontoolz.com/Spaufgty.wav
Resource
win10v2004-20231222-en
Behavioral task
behavioral16
Sample
magic.poisontoolz.com/Utsxokye.wav
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
magic.poisontoolz.com/Walter.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral18
Sample
magic.poisontoolz.com/Wjwxkhbvw.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
magic.poisontoolz.com/Wlkubkwdmop.mp4
Resource
win10v2004-20231215-en
Behavioral task
behavioral20
Sample
magic.poisontoolz.com/binded.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
magic.poisontoolz.com/building.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral22
Sample
magic.poisontoolz.com/down.png
Resource
win10v2004-20231215-en
Behavioral task
behavioral23
Sample
magic.poisontoolz.com/fox.hta
Resource
win10v2004-20231215-en
Behavioral task
behavioral24
Sample
magic.poisontoolz.com/xw.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
magic.poisontoolz.com/xw.hta
Resource
win10v2004-20231215-en
General
-
Target
magic.poisontoolz.com/Buildcrypt.exe
-
Size
86KB
-
MD5
380888258d0c8d18da63e80591a4e0f3
-
SHA1
70ef5767c29304806ccc4cd136d9c5bfd8dcf403
-
SHA256
eaaefbc4c960dca1de30c44f0fccbbefdb9c3e0e243e7ff5579316b99206b8e0
-
SHA512
63104e4e2e6b260522c26a28287684bb8dab433d4b03396e30b478288980d15d4d259d873f1f59eda364ec777bcdc79f481b11890178a012f2bc483497c4e3b3
-
SSDEEP
1536:2jXsxSiEgiXHZLUQqC0BvUncdRHREWT2fPT3YORK59kx+:KXtiSghvU/86T3YUK5CE
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral3/memory/640-3-0x0000000006C00000-0x0000000006E0A000-memory.dmp family_zgrat_v1 behavioral3/memory/640-4-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-5-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-9-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-7-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-11-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-15-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-19-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-23-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-27-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-31-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-35-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-37-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-39-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-43-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-45-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-47-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-49-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-51-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-53-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-57-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-61-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-63-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-65-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-67-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-59-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-55-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-41-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-33-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-29-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-25-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-21-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-17-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 behavioral3/memory/640-13-0x0000000006C00000-0x0000000006E04000-memory.dmp family_zgrat_v1 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Buildcrypt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Buildcrypt.exe Key opened \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Buildcrypt.exe Key opened \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Buildcrypt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Buildcrypt.exedescription pid process target process PID 640 set thread context of 4480 640 Buildcrypt.exe Buildcrypt.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Buildcrypt.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Buildcrypt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Buildcrypt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Buildcrypt.exepid process 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe 4480 Buildcrypt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Buildcrypt.exeBuildcrypt.exemsiexec.exedescription pid process Token: SeDebugPrivilege 640 Buildcrypt.exe Token: SeDebugPrivilege 4480 Buildcrypt.exe Token: SeSecurityPrivilege 4004 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Buildcrypt.exepid process 4480 Buildcrypt.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
Buildcrypt.exeBuildcrypt.execmd.execmd.exedescription pid process target process PID 640 wrote to memory of 4480 640 Buildcrypt.exe Buildcrypt.exe PID 640 wrote to memory of 4480 640 Buildcrypt.exe Buildcrypt.exe PID 640 wrote to memory of 4480 640 Buildcrypt.exe Buildcrypt.exe PID 640 wrote to memory of 4480 640 Buildcrypt.exe Buildcrypt.exe PID 640 wrote to memory of 4480 640 Buildcrypt.exe Buildcrypt.exe PID 640 wrote to memory of 4480 640 Buildcrypt.exe Buildcrypt.exe PID 640 wrote to memory of 4480 640 Buildcrypt.exe Buildcrypt.exe PID 640 wrote to memory of 4480 640 Buildcrypt.exe Buildcrypt.exe PID 4480 wrote to memory of 2240 4480 Buildcrypt.exe cmd.exe PID 4480 wrote to memory of 2240 4480 Buildcrypt.exe cmd.exe PID 4480 wrote to memory of 2240 4480 Buildcrypt.exe cmd.exe PID 2240 wrote to memory of 3248 2240 cmd.exe chcp.com PID 2240 wrote to memory of 3248 2240 cmd.exe chcp.com PID 2240 wrote to memory of 3248 2240 cmd.exe chcp.com PID 2240 wrote to memory of 4360 2240 cmd.exe netsh.exe PID 2240 wrote to memory of 4360 2240 cmd.exe netsh.exe PID 2240 wrote to memory of 4360 2240 cmd.exe netsh.exe PID 2240 wrote to memory of 4632 2240 cmd.exe findstr.exe PID 2240 wrote to memory of 4632 2240 cmd.exe findstr.exe PID 2240 wrote to memory of 4632 2240 cmd.exe findstr.exe PID 4480 wrote to memory of 2268 4480 Buildcrypt.exe cmd.exe PID 4480 wrote to memory of 2268 4480 Buildcrypt.exe cmd.exe PID 4480 wrote to memory of 2268 4480 Buildcrypt.exe cmd.exe PID 2268 wrote to memory of 3088 2268 cmd.exe chcp.com PID 2268 wrote to memory of 3088 2268 cmd.exe chcp.com PID 2268 wrote to memory of 3088 2268 cmd.exe chcp.com PID 2268 wrote to memory of 4240 2268 cmd.exe netsh.exe PID 2268 wrote to memory of 4240 2268 cmd.exe netsh.exe PID 2268 wrote to memory of 4240 2268 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Buildcrypt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Buildcrypt.exe -
outlook_win_path 1 IoCs
Processes:
Buildcrypt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Buildcrypt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe"C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exeC:\Users\Admin\AppData\Local\Temp\magic.poisontoolz.com\Buildcrypt.exe2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4480 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:4360
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:4632
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:3248
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:2268
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid1⤵PID:4240
-
C:\Windows\SysWOW64\chcp.comchcp 650011⤵PID:3088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
5KB
MD5b1d58554f33c991f9454f81bf1f6a7a6
SHA11a9c0748fbb4c4974315f6a3188ffb5078372de1
SHA2562809730601ec3cd803e75dded9788afc2683f6562378a497e7300fd83137838c
SHA512ef961a73b2b8844155d1684a6d5e0319ad5d0c8cb2c60e4ed16b03cca69e04bf9872f2bff8fdf24d3bf284366f2b2f0d36f1e4c1cd5d007732c3ad0af562d5c6
-
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\System\Process.txt
Filesize4KB
MD51ee536f8825f6e2687ef66d381d8f207
SHA1226510773d4cce296c65a148113cc8748dcd2eb5
SHA25617f9cee741ac5c44270e2e06cffe0733c0048eeff575a722552ab3faa60c22e4
SHA5120e7be43674727276b6a1ca1b1b96cca435f9dc1feefce7a150632f171313b365ee59bc842244c6dfaf53b951bff3f9cad781ea70795cfed163db767f50a55e7f
-
C:\Users\Admin\AppData\Local\e2bed16f33a1d21c74bd6ea14529f635\Admin@IMXSDNYJ_en-US\System\ProductKey.txt
Filesize29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
Filesize
19B
MD59d694ab3d634fb05b97a4b4e72a69c3d
SHA1c71f80418ae48b90d4128ab03ac26e4c8c8f8c41
SHA256b61a8732dc7f3679fa4e0cf02bdbc1d61a813adaafa9df7a0aba53d9127902f9
SHA512a7eb902af143b7aeae5fb063c303ff90023dce6d16c40e09f1fa7847c453f0e3864f7623daefe9a4d1f71a8c75f27b55ed9bfd0c137e8d607b1fbbd4c5b26327