Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 15:16
Static task
static1
Behavioral task
behavioral1
Sample
2ce10fcd4e165a82a76f77d1f661fa36.exe
Resource
win7-20240221-en
General
-
Target
2ce10fcd4e165a82a76f77d1f661fa36.exe
-
Size
2.3MB
-
MD5
2ce10fcd4e165a82a76f77d1f661fa36
-
SHA1
a3ffe8a330d9e2128172b74dd76f0a31060c0e1e
-
SHA256
21015dd4a12034f48c1432acbf1149131a3dd1412f4b8426ec7273d95dc19da6
-
SHA512
f2ed5af0ba9173d483943d7a3761ae2419232ec52980597dfc7ef9c79516297fd2df63970528faeed14f642fb1dbc00114d659068c33cc619ff70583da0bc818
-
SSDEEP
49152:eOtTYNB84W4Vjms6VSSiht/zAKq4uhL61/I+C62w3/MLfQyTIUhlLY/EDZ50R:eOtTYzfVv6VSSEt/z7qfL6e+HaIez0Ee
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/files/0x000700000002340e-17.dat family_zgrat_v1 behavioral2/files/0x0008000000023411-38.dat family_zgrat_v1 behavioral2/memory/1212-40-0x0000000000170000-0x0000000000378000-memory.dmp family_zgrat_v1 -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3164 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4280 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3628 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4108 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4540 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4376 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 400 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4392 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 3788 schtasks.exe 89 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3792 3788 schtasks.exe 89 -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HyperPortsavesmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 2ce10fcd4e165a82a76f77d1f661fa36.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation tzidRecG.exe -
Executes dropped EXE 4 IoCs
pid Process 1304 Cheat.sfx.exe 4932 tzidRecG.exe 1212 HyperPortsavesmonitor.exe 4008 System.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe HyperPortsavesmonitor.exe File created C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991 HyperPortsavesmonitor.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\sppsvc.exe HyperPortsavesmonitor.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\sppsvc.exe HyperPortsavesmonitor.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0a1fd5f707cd16 HyperPortsavesmonitor.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe HyperPortsavesmonitor.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cc11b995f2a76d HyperPortsavesmonitor.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe HyperPortsavesmonitor.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\27d1bcfc3c54e0 HyperPortsavesmonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4736 1304 WerFault.exe 83 -
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4532 schtasks.exe 4540 schtasks.exe 632 schtasks.exe 4376 schtasks.exe 4900 schtasks.exe 1604 schtasks.exe 3792 schtasks.exe 2720 schtasks.exe 3628 schtasks.exe 3064 schtasks.exe 3908 schtasks.exe 4108 schtasks.exe 220 schtasks.exe 400 schtasks.exe 4280 schtasks.exe 2248 schtasks.exe 4392 schtasks.exe 3164 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings tzidRecG.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings HyperPortsavesmonitor.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4664 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe 1212 HyperPortsavesmonitor.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1212 HyperPortsavesmonitor.exe Token: SeDebugPrivilege 4008 System.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 748 wrote to memory of 1304 748 2ce10fcd4e165a82a76f77d1f661fa36.exe 83 PID 748 wrote to memory of 1304 748 2ce10fcd4e165a82a76f77d1f661fa36.exe 83 PID 748 wrote to memory of 1304 748 2ce10fcd4e165a82a76f77d1f661fa36.exe 83 PID 748 wrote to memory of 4932 748 2ce10fcd4e165a82a76f77d1f661fa36.exe 85 PID 748 wrote to memory of 4932 748 2ce10fcd4e165a82a76f77d1f661fa36.exe 85 PID 748 wrote to memory of 4932 748 2ce10fcd4e165a82a76f77d1f661fa36.exe 85 PID 4932 wrote to memory of 2456 4932 tzidRecG.exe 87 PID 4932 wrote to memory of 2456 4932 tzidRecG.exe 87 PID 4932 wrote to memory of 2456 4932 tzidRecG.exe 87 PID 2456 wrote to memory of 1608 2456 WScript.exe 96 PID 2456 wrote to memory of 1608 2456 WScript.exe 96 PID 2456 wrote to memory of 1608 2456 WScript.exe 96 PID 1608 wrote to memory of 1212 1608 cmd.exe 98 PID 1608 wrote to memory of 1212 1608 cmd.exe 98 PID 1212 wrote to memory of 4204 1212 HyperPortsavesmonitor.exe 117 PID 1212 wrote to memory of 4204 1212 HyperPortsavesmonitor.exe 117 PID 4204 wrote to memory of 864 4204 cmd.exe 119 PID 4204 wrote to memory of 864 4204 cmd.exe 119 PID 4204 wrote to memory of 4664 4204 cmd.exe 120 PID 4204 wrote to memory of 4664 4204 cmd.exe 120 PID 4204 wrote to memory of 4008 4204 cmd.exe 123 PID 4204 wrote to memory of 4008 4204 cmd.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ce10fcd4e165a82a76f77d1f661fa36.exe"C:\Users\Admin\AppData\Local\Temp\2ce10fcd4e165a82a76f77d1f661fa36.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe"C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe"2⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 9883⤵
- Program crash
PID:4736
-
-
-
C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe"C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\comDriverinto\yqpI0X0JgApYgtlSsocRWTSVHRK.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\comDriverinto\ucUiAXPN2zx9bZrTcu4WHQVTQZueYbZneVkQGpMslSdQ.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\comDriverinto\HyperPortsavesmonitor.exe"C:\comDriverinto/HyperPortsavesmonitor.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ReXi8YFQXF.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:864
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:4664
-
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1304 -ip 13041⤵PID:3380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperPortsavesmonitorH" /sc MINUTE /mo 11 /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperPortsavesmonitor" /sc ONLOGON /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperPortsavesmonitorH" /sc MINUTE /mo 14 /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD5e56343f2eb88fef62d4cf5df0a2c7734
SHA121f1b3a3dcbc29388bb72bc7aa7fc4ce654c6135
SHA256d3e4275fe34ac20bb9d3c53e9971d2a21ba8f7ec5dc8b943c1a52edb2aa0f1ea
SHA512b56053c8f0f86ee235cce13601000ed31622b87a5b5b6ed7e723b94bc4a9281918feccbab1f99d827187982ad4d5de2eafb02dd8d6dd179b49e2e029eeef4f32
-
Filesize
185B
MD5fdc7ea9bc7767087bfa15a1c12b2a7ea
SHA14a805efb0a154dd5b8a0ab7c339b4f3254538409
SHA2561ba2b5158add31c8099def39972afbb145d18d6de34822055c62c26c9fafb9cc
SHA512a338ae77d3063957c0858374c42d6da2249932a8efc582fbecef5257591d0799197b1ddb1c85cff224f43a816f2e39c40e2cae2c9756fb2346373fecaa92a689
-
Filesize
2.3MB
MD592a0909017b45d6498197b1b817e9303
SHA1bc8a0aad4e4f3e6ddbd816a98873b24ba22bf502
SHA25671fcb54017a98fe981d8b725891371518878e684acc63ca9c81f284f5e4b6e23
SHA512b59ae5bd68f1ef934dbba306312c288f1e81b744cf717cff4a529f7b2ed779cd4f85d85e77b0589d1971d42896b8523b495ae1d81921d75cb7df43308940a021
-
Filesize
2.0MB
MD575da1def0cb2b50f387441c2ebed4120
SHA17eca930b9afe2bf57ab9a3e546cc9969d4e5dce7
SHA2562edf5f9fc75dc5cc293db94f337b66524386b0a4d1fd6e56f3d7ad30963cc790
SHA512adc14364c6e6d614f2a92b7094cced4ca247f96a27844c6601b3f2519de72d3215bb3335eae095363dd82edc2a3ff31b631c61df272c8cf023f72f8bcce737e1
-
Filesize
85B
MD597f25de6d41811f5f69377a04cfa76c7
SHA1e1ff3b69aa65bbf38b49bf3972f739c0af5f6805
SHA256caf5baa2d2e1705ecae3aa9e95212d2cde2141161defa5e19b7aa9fda05575f4
SHA512d4af223a7e438d596655cdb1e4189792cf685b9c02f8e5ae0290eabbe29972d1182daaa98d39abf803d1e41b6eefa671d2ae3f051568cfba6adaaa77b8ad74eb
-
Filesize
236B
MD54ef5f91cd4fabd32da27992dacfc6ad6
SHA1e6aae689706c107b9b6ff58e474df1d3fe1f16ff
SHA256fc9b4a6b7b877ee52d56c5b1440de893d1b2bce5fbdf96c6233274af24a2cea7
SHA512bc1698dc036031250e9dcb9c0d7b87271b1dc15fdaf63ef991aab195cdf9fe4056b2a4a164f46346cb9bfe63aa6c458555de43c9c96945f0f5752d983b1536b6