Overview
overview
10Static
static
3Loader.exe
windows7-x64
10Loader.exe
windows10-2004-x64
10$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
6LICENSES.c...m.html
windows10-2004-x64
6Loader.exe
windows7-x64
7Loader.exe
windows10-2004-x64
8d3dcompiler_47.dll
windows7-x64
1d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1swiftshade...GL.dll
windows7-x64
1swiftshade...GL.dll
windows10-2004-x64
1swiftshade...v2.dll
windows7-x64
1swiftshade...v2.dll
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
1816s -
max time network
1819s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23/01/2024, 02:36
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Loader.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
Loader.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
d3dcompiler_47.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
ffmpeg.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral16
Sample
libEGL.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
libGLESv2.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
resources/elevate.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
resources/elevate.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
swiftshader/libEGL.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
swiftshader/libEGL.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
swiftshader/libGLESv2.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
swiftshader/libGLESv2.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
vk_swiftshader.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral26
Sample
vk_swiftshader.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
vulkan-1.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
vulkan-1.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
Loader.exe
-
Size
139.5MB
-
MD5
8fa1144ef7c7e9ff74df8d18a08af392
-
SHA1
8c6bdf47395b29030fc520be3b2c07de6caf653f
-
SHA256
2ab58d0da204479a94cfa67361c688119e5ae20b967fd0d36ac93d7abe163191
-
SHA512
0e4152be8b8d0d223b1a6c7d94246f81206cbd1f7eba16c32b19d112c02e24713a87801e87a0245ab2d4b89ab66a657d39c18480f2e5273afd0d6db82f74cf22
-
SSDEEP
786432:X14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:X14kpHwQjCWv+K18CedmVvEQEpcJW
Malware Config
Signatures
-
Loads dropped DLL 3 IoCs
pid Process 2648 Loader.exe 2648 Loader.exe 2648 Loader.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Loader.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Loader.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Loader.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 3052 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1632 tasklist.exe 1036 tasklist.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2648 Loader.exe 2648 Loader.exe 1936 Loader.exe 1196 powershell.exe 2648 Loader.exe 2648 Loader.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2648 Loader.exe Token: SeShutdownPrivilege 2648 Loader.exe Token: SeDebugPrivilege 1632 tasklist.exe Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe Token: SeSecurityPrivilege 1484 WMIC.exe Token: SeTakeOwnershipPrivilege 1484 WMIC.exe Token: SeLoadDriverPrivilege 1484 WMIC.exe Token: SeSystemProfilePrivilege 1484 WMIC.exe Token: SeSystemtimePrivilege 1484 WMIC.exe Token: SeProfSingleProcessPrivilege 1484 WMIC.exe Token: SeIncBasePriorityPrivilege 1484 WMIC.exe Token: SeCreatePagefilePrivilege 1484 WMIC.exe Token: SeBackupPrivilege 1484 WMIC.exe Token: SeRestorePrivilege 1484 WMIC.exe Token: SeShutdownPrivilege 1484 WMIC.exe Token: SeDebugPrivilege 1484 WMIC.exe Token: SeSystemEnvironmentPrivilege 1484 WMIC.exe Token: SeRemoteShutdownPrivilege 1484 WMIC.exe Token: SeUndockPrivilege 1484 WMIC.exe Token: SeManageVolumePrivilege 1484 WMIC.exe Token: 33 1484 WMIC.exe Token: 34 1484 WMIC.exe Token: 35 1484 WMIC.exe Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe Token: SeSecurityPrivilege 1484 WMIC.exe Token: SeTakeOwnershipPrivilege 1484 WMIC.exe Token: SeLoadDriverPrivilege 1484 WMIC.exe Token: SeSystemProfilePrivilege 1484 WMIC.exe Token: SeSystemtimePrivilege 1484 WMIC.exe Token: SeProfSingleProcessPrivilege 1484 WMIC.exe Token: SeIncBasePriorityPrivilege 1484 WMIC.exe Token: SeCreatePagefilePrivilege 1484 WMIC.exe Token: SeBackupPrivilege 1484 WMIC.exe Token: SeRestorePrivilege 1484 WMIC.exe Token: SeShutdownPrivilege 1484 WMIC.exe Token: SeDebugPrivilege 1484 WMIC.exe Token: SeSystemEnvironmentPrivilege 1484 WMIC.exe Token: SeRemoteShutdownPrivilege 1484 WMIC.exe Token: SeUndockPrivilege 1484 WMIC.exe Token: SeManageVolumePrivilege 1484 WMIC.exe Token: 33 1484 WMIC.exe Token: 34 1484 WMIC.exe Token: 35 1484 WMIC.exe Token: SeShutdownPrivilege 2648 Loader.exe Token: SeShutdownPrivilege 2648 Loader.exe Token: SeIncreaseQuotaPrivilege 660 WMIC.exe Token: SeSecurityPrivilege 660 WMIC.exe Token: SeTakeOwnershipPrivilege 660 WMIC.exe Token: SeLoadDriverPrivilege 660 WMIC.exe Token: SeSystemProfilePrivilege 660 WMIC.exe Token: SeSystemtimePrivilege 660 WMIC.exe Token: SeProfSingleProcessPrivilege 660 WMIC.exe Token: SeIncBasePriorityPrivilege 660 WMIC.exe Token: SeCreatePagefilePrivilege 660 WMIC.exe Token: SeBackupPrivilege 660 WMIC.exe Token: SeRestorePrivilege 660 WMIC.exe Token: SeShutdownPrivilege 660 WMIC.exe Token: SeDebugPrivilege 660 WMIC.exe Token: SeSystemEnvironmentPrivilege 660 WMIC.exe Token: SeRemoteShutdownPrivilege 660 WMIC.exe Token: SeUndockPrivilege 660 WMIC.exe Token: SeManageVolumePrivilege 660 WMIC.exe Token: 33 660 WMIC.exe Token: 34 660 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2564 2648 Loader.exe 28 PID 2648 wrote to memory of 2564 2648 Loader.exe 28 PID 2648 wrote to memory of 2564 2648 Loader.exe 28 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2564 wrote to memory of 1632 2564 cmd.exe 31 PID 2564 wrote to memory of 1632 2564 cmd.exe 31 PID 2564 wrote to memory of 1632 2564 cmd.exe 31 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2324 2648 Loader.exe 30 PID 2648 wrote to memory of 2912 2648 Loader.exe 33 PID 2648 wrote to memory of 2912 2648 Loader.exe 33 PID 2648 wrote to memory of 2912 2648 Loader.exe 33 PID 2912 wrote to memory of 1484 2912 cmd.exe 35 PID 2912 wrote to memory of 1484 2912 cmd.exe 35 PID 2912 wrote to memory of 1484 2912 cmd.exe 35 PID 2648 wrote to memory of 2996 2648 Loader.exe 36 PID 2648 wrote to memory of 2996 2648 Loader.exe 36 PID 2648 wrote to memory of 2996 2648 Loader.exe 36 PID 2648 wrote to memory of 3012 2648 Loader.exe 37 PID 2648 wrote to memory of 3012 2648 Loader.exe 37 PID 2648 wrote to memory of 3012 2648 Loader.exe 37 PID 2648 wrote to memory of 1652 2648 Loader.exe 38 PID 2648 wrote to memory of 1652 2648 Loader.exe 38 PID 2648 wrote to memory of 1652 2648 Loader.exe 38 PID 2648 wrote to memory of 368 2648 Loader.exe 40 PID 2648 wrote to memory of 368 2648 Loader.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1036 --field-trial-handle=1160,11925140341972151820,18262357793449803076,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2648 get ExecutablePath"2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=2648 get ExecutablePath3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2996
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:1036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵PID:3012
-
C:\Windows\system32\net.exenet session3⤵PID:1988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:1780
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"2⤵PID:1652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵PID:368
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"2⤵PID:2756
-
C:\Windows\system32\more.commore +13⤵PID:1748
-
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption, osarchitecture3⤵PID:456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"2⤵PID:1688
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:2304
-
-
C:\Windows\system32\more.commore +13⤵PID:1752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"2⤵PID:1760
-
C:\Windows\system32\more.commore +13⤵PID:2352
-
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController get name3⤵
- Detects videocard installed
PID:3052
-
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1076 --field-trial-handle=1160,11925140341972151820,18262357793449803076,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1936
-
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1604 --field-trial-handle=1160,11925140341972151820,18262357793449803076,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵PID:1864
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
643KB
MD5cc9ed377ba027cfa898986f63b76b051
SHA1b8205ff032927abc7cd3e5d4e394709cc38fa450
SHA25612bf581c70d7ce4cbeb3600a48cdfaed9fa5629ca2ee3fa91cc06543b2110cb9
SHA5121bf4fa6585d77b577eabb97c6ca35ab81f613f81d6257cfcadfd33f346f4309aeba2fdde87988f9c73c340d414d44561f6fc7526a929633e69b4c7da008bb24e
-
Filesize
663KB
MD53aa0737411524cd5ae047ea0b8203930
SHA1da3759832aa59a625c99c8546bf4e40dc8ce7c71
SHA2561e46668d4196996c83a87173d30893720fd7046086b7b24ecd6ba3f3ecfcead3
SHA512997f50e00164c5f8b3f7ba08911a8b58383260f16c95bde20f29f3bee8140e674adf93ca5bcd33dc9e23cd9ba7793e8206846692ac37ca63470ad7e4e19974f2
-
Filesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61