Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10/05/2024, 22:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6cd58da990c1a844a117bb0086fdf01360b1a46090f90ba82049ea35d5ced320.dll
Resource
win7-20240508-en
windows7-x64
17 signatures
150 seconds
General
-
Target
6cd58da990c1a844a117bb0086fdf01360b1a46090f90ba82049ea35d5ced320.dll
-
Size
120KB
-
MD5
92ab36523dd715b2dadc88ac91b8fe93
-
SHA1
9bef3d4f324fa18d868c4ec656f0e7a841ae38ba
-
SHA256
6cd58da990c1a844a117bb0086fdf01360b1a46090f90ba82049ea35d5ced320
-
SHA512
e6048c8dff19c9f7f3b48a453e953720240e0132eeea38e56f23925e6e808e6effa985a987ccdd0668e81ce8410ad470eb641abab74dcdaaede0fa8713106816
-
SSDEEP
3072:c14BE9TeCj6lHDOXia2DWmmJOczT/1AHkbv:caBE9TFjiqXkWNNaMv
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f761890.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f761890.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" f761a92.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" f761a92.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761890.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761890.exe -
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 22 IoCs
resource yara_rule behavioral1/memory/2808-12-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-19-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-14-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-16-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-18-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-21-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-17-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-22-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-20-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-15-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-66-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-67-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-68-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-81-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-82-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-84-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-103-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-105-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-107-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2808-142-0x0000000000590000-0x000000000164A000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2488-155-0x0000000000A10000-0x0000000001ACA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine behavioral1/memory/2488-169-0x0000000000A10000-0x0000000001ACA000-memory.dmp INDICATOR_EXE_Packed_SimplePolyEngine -
UPX dump on OEP (original entry point) 26 IoCs
resource yara_rule behavioral1/memory/2808-12-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-19-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-14-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-16-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-18-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-21-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-17-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-22-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-20-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2488-65-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2808-15-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-66-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-67-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-68-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-81-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-82-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-84-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-103-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-105-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-107-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-142-0x0000000000590000-0x000000000164A000-memory.dmp UPX behavioral1/memory/2808-143-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2488-155-0x0000000000A10000-0x0000000001ACA000-memory.dmp UPX behavioral1/memory/2488-168-0x0000000000400000-0x0000000000412000-memory.dmp UPX behavioral1/memory/2488-169-0x0000000000A10000-0x0000000001ACA000-memory.dmp UPX behavioral1/memory/2412-173-0x0000000000400000-0x0000000000412000-memory.dmp UPX -
Executes dropped EXE 3 IoCs
pid Process 2808 f761890.exe 2488 f761a92.exe 2412 f7637a4.exe -
Loads dropped DLL 6 IoCs
pid Process 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe -
resource yara_rule behavioral1/memory/2808-12-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-19-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-14-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-16-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-18-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-21-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-17-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-22-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-20-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-15-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-66-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-67-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-68-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-81-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-82-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-84-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-103-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-105-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-107-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2808-142-0x0000000000590000-0x000000000164A000-memory.dmp upx behavioral1/memory/2488-155-0x0000000000A10000-0x0000000001ACA000-memory.dmp upx behavioral1/memory/2488-169-0x0000000000A10000-0x0000000001ACA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761890.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" f761a92.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc f761a92.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" f761a92.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761a92.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f761890.exe File opened (read-only) \??\H: f761890.exe File opened (read-only) \??\J: f761890.exe File opened (read-only) \??\K: f761890.exe File opened (read-only) \??\L: f761890.exe File opened (read-only) \??\M: f761890.exe File opened (read-only) \??\N: f761890.exe File opened (read-only) \??\E: f761890.exe File opened (read-only) \??\O: f761890.exe File opened (read-only) \??\I: f761890.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\f7669ab f761a92.exe File created C:\Windows\f7618fd f761890.exe File opened for modification C:\Windows\SYSTEM.INI f761890.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2808 f761890.exe 2808 f761890.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe Token: SeDebugPrivilege 2808 f761890.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1868 wrote to memory of 2040 1868 rundll32.exe 28 PID 1868 wrote to memory of 2040 1868 rundll32.exe 28 PID 1868 wrote to memory of 2040 1868 rundll32.exe 28 PID 1868 wrote to memory of 2040 1868 rundll32.exe 28 PID 1868 wrote to memory of 2040 1868 rundll32.exe 28 PID 1868 wrote to memory of 2040 1868 rundll32.exe 28 PID 1868 wrote to memory of 2040 1868 rundll32.exe 28 PID 2040 wrote to memory of 2808 2040 rundll32.exe 29 PID 2040 wrote to memory of 2808 2040 rundll32.exe 29 PID 2040 wrote to memory of 2808 2040 rundll32.exe 29 PID 2040 wrote to memory of 2808 2040 rundll32.exe 29 PID 2808 wrote to memory of 1068 2808 f761890.exe 18 PID 2808 wrote to memory of 1168 2808 f761890.exe 20 PID 2808 wrote to memory of 1192 2808 f761890.exe 21 PID 2808 wrote to memory of 2384 2808 f761890.exe 23 PID 2808 wrote to memory of 1868 2808 f761890.exe 27 PID 2808 wrote to memory of 2040 2808 f761890.exe 28 PID 2808 wrote to memory of 2040 2808 f761890.exe 28 PID 2040 wrote to memory of 2488 2040 rundll32.exe 30 PID 2040 wrote to memory of 2488 2040 rundll32.exe 30 PID 2040 wrote to memory of 2488 2040 rundll32.exe 30 PID 2040 wrote to memory of 2488 2040 rundll32.exe 30 PID 2040 wrote to memory of 2412 2040 rundll32.exe 31 PID 2040 wrote to memory of 2412 2040 rundll32.exe 31 PID 2040 wrote to memory of 2412 2040 rundll32.exe 31 PID 2040 wrote to memory of 2412 2040 rundll32.exe 31 PID 2808 wrote to memory of 1068 2808 f761890.exe 18 PID 2808 wrote to memory of 1168 2808 f761890.exe 20 PID 2808 wrote to memory of 1192 2808 f761890.exe 21 PID 2808 wrote to memory of 2488 2808 f761890.exe 30 PID 2808 wrote to memory of 2488 2808 f761890.exe 30 PID 2808 wrote to memory of 2412 2808 f761890.exe 31 PID 2808 wrote to memory of 2412 2808 f761890.exe 31 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761890.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f761a92.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1068
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6cd58da990c1a844a117bb0086fdf01360b1a46090f90ba82049ea35d5ced320.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6cd58da990c1a844a117bb0086fdf01360b1a46090f90ba82049ea35d5ced320.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\f761890.exeC:\Users\Admin\AppData\Local\Temp\f761890.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\f761a92.exeC:\Users\Admin\AppData\Local\Temp\f761a92.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\f7637a4.exeC:\Users\Admin\AppData\Local\Temp\f7637a4.exe4⤵
- Executes dropped EXE
PID:2412
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2384
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD5744b512106c22cc9dbe30b42856cc24f
SHA156aa68dad60c5991039fe0a3f69e93d9e3a21f2b
SHA2561578925f689e122896d0cf739e2c34ea7b299bca21f5072b3e023631f67c7869
SHA512f2c40508df9f95ed854e1fa881bdf0bcde7feab7d8039ca65f9b866ea626a93ce72a24c0ec909fe8161097b54934319beb57308392ec0086e8afd55915c3956e
-
Filesize
97KB
MD57a3475188ac8512bb4667629bf74298b
SHA1c57cff47254cf69ee23f11c33a8d9ebc24a4e644
SHA2567865e4b099f332bbc0a27caf27a1657e799a5e5d5aa3e717c4968b9788983a12
SHA512bf55c1c3235fe25db155b550a03a516c895302d41bd26ea673aca9eade5ae9eadb62dfa1609c5f994035fc09779e57e16a3c40fca3d470de95403cbbaeccad9c