Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06-02-2024 19:40
Behavioral task
behavioral1
Sample
SWIFT TRANSFER.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
SWIFT TRANSFER.exe
Resource
win10v2004-20231222-en
General
-
Target
SWIFT TRANSFER.exe
-
Size
1.0MB
-
MD5
397cd818297d991cdd6497572d261a25
-
SHA1
11cc48c47f1aac9af6ed1e15f66bba98899581b9
-
SHA256
0112a299785ef16cc0d6b84bf084a0122a700788180242afae4dac3b40a2bb50
-
SHA512
c683a1327f887c8e82eb032df862c84e3faa58dcfa9ff37ad5d7fd6287a356e59ae32b8512862f88d03bf8d63b71a95682343c8d3d982f76c3ce398371ebcb4f
-
SSDEEP
24576:pO9cxPuT2Vj/wgFXRtl+btB7QVdWfXDE1MIz53u:pOV6Nz9YbATWvDlIN3u
Malware Config
Extracted
darkcloud
- email_from
- email_to
Signatures
-
Detect Neshta payload 5 IoCs
Processes:
resource yara_rule C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe family_neshta behavioral1/memory/2956-92-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta C:\Windows\svchost.com family_neshta behavioral1/memory/2204-110-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral1/memory/1284-118-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 4 IoCs
Processes:
SWIFT TRANSFER.exesvchost.comsvchost.comSWIFT TRANSFER.exepid process 2400 SWIFT TRANSFER.exe 2204 svchost.com 1284 svchost.com 1868 SWIFT TRANSFER.exe -
Loads dropped DLL 5 IoCs
Processes:
SWIFT TRANSFER.exesvchost.comSWIFT TRANSFER.exepid process 2956 SWIFT TRANSFER.exe 2956 SWIFT TRANSFER.exe 2956 SWIFT TRANSFER.exe 1284 svchost.com 2400 SWIFT TRANSFER.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
SWIFT TRANSFER.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" SWIFT TRANSFER.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT TRANSFER.exedescription pid process target process PID 2400 set thread context of 1868 2400 SWIFT TRANSFER.exe SWIFT TRANSFER.exe -
Drops file in Program Files directory 64 IoCs
Processes:
SWIFT TRANSFER.exedescription ioc process File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE SWIFT TRANSFER.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE SWIFT TRANSFER.exe -
Drops file in Windows directory 5 IoCs
Processes:
svchost.comsvchost.comSWIFT TRANSFER.exedescription ioc process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com SWIFT TRANSFER.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
SWIFT TRANSFER.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" SWIFT TRANSFER.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SWIFT TRANSFER.exepowershell.exepid process 2400 SWIFT TRANSFER.exe 2400 SWIFT TRANSFER.exe 2400 SWIFT TRANSFER.exe 2400 SWIFT TRANSFER.exe 1708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SWIFT TRANSFER.exepowershell.exedescription pid process Token: SeDebugPrivilege 2400 SWIFT TRANSFER.exe Token: SeDebugPrivilege 1708 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SWIFT TRANSFER.exepid process 1868 SWIFT TRANSFER.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
SWIFT TRANSFER.exeSWIFT TRANSFER.exesvchost.comsvchost.comdescription pid process target process PID 2956 wrote to memory of 2400 2956 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2956 wrote to memory of 2400 2956 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2956 wrote to memory of 2400 2956 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2956 wrote to memory of 2400 2956 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2400 wrote to memory of 2204 2400 SWIFT TRANSFER.exe svchost.com PID 2400 wrote to memory of 2204 2400 SWIFT TRANSFER.exe svchost.com PID 2400 wrote to memory of 2204 2400 SWIFT TRANSFER.exe svchost.com PID 2400 wrote to memory of 2204 2400 SWIFT TRANSFER.exe svchost.com PID 2400 wrote to memory of 1284 2400 SWIFT TRANSFER.exe svchost.com PID 2400 wrote to memory of 1284 2400 SWIFT TRANSFER.exe svchost.com PID 2400 wrote to memory of 1284 2400 SWIFT TRANSFER.exe svchost.com PID 2400 wrote to memory of 1284 2400 SWIFT TRANSFER.exe svchost.com PID 2204 wrote to memory of 1708 2204 svchost.com powershell.exe PID 2204 wrote to memory of 1708 2204 svchost.com powershell.exe PID 2204 wrote to memory of 1708 2204 svchost.com powershell.exe PID 2204 wrote to memory of 1708 2204 svchost.com powershell.exe PID 1284 wrote to memory of 2800 1284 svchost.com schtasks.exe PID 1284 wrote to memory of 2800 1284 svchost.com schtasks.exe PID 1284 wrote to memory of 2800 1284 svchost.com schtasks.exe PID 1284 wrote to memory of 2800 1284 svchost.com schtasks.exe PID 2400 wrote to memory of 1868 2400 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2400 wrote to memory of 1868 2400 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2400 wrote to memory of 1868 2400 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2400 wrote to memory of 1868 2400 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2400 wrote to memory of 1868 2400 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2400 wrote to memory of 1868 2400 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2400 wrote to memory of 1868 2400 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2400 wrote to memory of 1868 2400 SWIFT TRANSFER.exe SWIFT TRANSFER.exe PID 2400 wrote to memory of 1868 2400 SWIFT TRANSFER.exe SWIFT TRANSFER.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT TRANSFER.exe"1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exeC:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\GuQWhxmyGNWUd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GuQWhxmyGNWUd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\schtasks.exe /Create /TN Updates\GuQWhxmyGNWUd /XML C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp4⤵
- Creates scheduled task(s)
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\SWIFT TRANSFER.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
326KB
MD5de27615cb6e9fb2cddda904259feeb2c
SHA17ad4b275305fdf44d33baef89b5787543bab5870
SHA2567b30dc0632ac2ef42e7cefbf83c516a9105b2957b643ca2f6ebf642a52848ee9
SHA512162383c96c18167a4420dc53babb8c2713fc43cef613f6c8971b84e5d0830cc580d3844dc3a6a9e8befe92b1026813f39383a8f22dac940f0eafb5119dceb46d
-
Filesize
294KB
MD5eb4827d7bb7650224b19ec8d73c2221a
SHA17714a77ba400f40c37efcb9c62d19cf696f1f3a4
SHA2566939ac00b60649fe9508fd34837eec3fb1ba44e8614a1766a052bd3516f28634
SHA512130a2b3e17ac0a7e90f71f385e6ced70456204c4ab6177f992c0659386a40b95d77b7450641f38f1ce61d7c5f85c7151f1b16214f77fea48b2f878fabe01cd7f
-
Filesize
258KB
MD52086daaf21d6b6b8f6751ed39f866370
SHA1a41c1a27a97bc263743a9930d91476fee2af167b
SHA256175cdfae110aad8de9758322f5c5f35c2a5524d6cf532397f161baf0e947eafd
SHA512da0a4df18a8f093cbcb346e8cf1425440aaad802cd70d7bf00d2cf71907c0cc78d38475968bcc6f67ae630a0c8fe5e8f19555c5abcf0b7e33c7e4330bb553005
-
Filesize
227KB
MD53d8ec9a15844c0e7839e66f881e43b99
SHA1651a9f5c7be9756ee460b6f779b9dbff3e896863
SHA256da6ca73dc657690216e1450c91dea065b6b08966405b77a35d202e9c1bc31c48
SHA512ac1af9df78905d15417ccab51fa277eacf0a1b8e8c72aaecea4e44454ca01413e89f7fd8ffc31ec4d1ecf98ada302159997a0c25a60bdcf381f61d0f17e69c33
-
Filesize
8B
MD5fcd8f6302a7ac98f5306d71114d51d76
SHA14816487c7e5073e659fb400b506edef76a141f00
SHA25699f0dd3bdf422718adf2e670b954e7cbd23d0d8a260f948bd617e64bf61770e5
SHA512baf83d64fc62da2d5c63e6d5ca8836063233fc92202498411cc294b48d7e23ad6db5ef34abcc06843e924a3c5f1a90e1001d2b2f3995dd30386fb3a74c9468b0
-
Filesize
100B
MD599168af858799e13faa22f6a2cb87035
SHA1597982ba26e82791585fec23eeb56e83df7de412
SHA256cff4281a6e1d2e078e19af68851b756ceb0371538c83ea3f027cd58bb98cc3f4
SHA512a2670fc578c54446ba019f5b4a60bcfe1576ec877bfadaa9b9040129fe1cbc02f7fff7afdb40bd472dab14f2d1a28761abc13edbe96eb874e35910a28ee99518
-
Filesize
84B
MD5b364923878bcdf692aa56a8676909f49
SHA1769dcc85e12af7f22f975a253da496f0a26de79d
SHA256da1f1df88b7c2e8c5634c1d03f8f556a0a5f6f939ed5743b55bc8f41b565130e
SHA5124dd3572efce76b4ba238f576cb54f505cae24b5efc3f860930ac64456f720823f60e35659822688ecc3d98a3083e5e1c8ecf9d957510476386980f5aa44dff9b
-
Filesize
40KB
MD5b062ed524b6ca8adb3d610e1e9ca6e3d
SHA1109f4126d0066ffd4f15e7cd0f9fd88b5caac539
SHA256f2da19edfd2d7adb438eb4042cea781d546a07d2f9c36200202e3f37baa38935
SHA512e7292bb0ea58a0c815f25bff11257dd20e7bf9a5ab2ee3ec5fbb2eaf6682551ee4afc427edeeb1c7a13d9e447121ee1562c5868644a5ed693664aa67605e0397
-
Filesize
124KB
MD5f560aa94110c2c4ee7f8a0a3a489aaa7
SHA1730bc5fc26508078a873f78c67a6911895c8d1b8
SHA256f139ad8b66d19ba1240ff318ba2913ddbdc5df28702e9574a174fa99a57a3e85
SHA51232dc905e569d2aaf175f2736b4e3d07d74443ca8e2fdd5a76a219d551fcfb5fa1a00935d42adcddc9e1f05f5763219bc5b8ac78c5e309c5e692a91087c9e9a80
-
Filesize
977KB
MD59912bc12355f1b65a064f5165b8296ca
SHA15b2fe26f535eaad3aedea014ab86d2c6a1d442c5
SHA256fce9a966c732f6a9f164b4f5b35a39b79915adfaa94ca669105985f2a044bcf8
SHA5129e81fb610b4bf596e54ab7da4b465601869c01e3251a1d7bf9aa29e020a75ae638ef816bb0ee5f9f820700bb737dbbb57a83bec9eb4e918c1a8ab12460654d9e
-
Filesize
1016KB
MD57f5c94b5e120641ba60ccad05710eda4
SHA12ccff660a2ef669821c62362efbea99e4e238a28
SHA256e243f9678f50e9be30a9a65971da27b36470bb27568707edcb87a06fffb3e99a
SHA5124a6ab0856337cb35fc1df956d8a5dadbc82ecb19bc8214db3b8e48f068f7d6544f52bbc2493670b65b56d8bbae0f73021b5d8097401e3ac251401075d8614304
-
Filesize
591KB
MD5f91c04e5badf8e6162aec12a69629efd
SHA1dfae2766116b6d2082aca13ba7ae4d7b2058aba7
SHA25617a7e2f443129b0445bf99a0389c770a249a2a10545aa5874a3d25355b0cecbc
SHA512fb115e7cbe3d8118d83bb8752362b1d94bbcac6245c66d3e9785be12c9dab0f7ff6c71d194ce500b47ea19f4f2ef3974b4ef18d179ded07b46522773932edfab