Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-05-2024 09:17
Static task
static1
Behavioral task
behavioral1
Sample
acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe
Resource
win10v2004-20240426-en
General
-
Target
acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe
-
Size
1.8MB
-
MD5
7f64c8714d90b8bd315d88aeb6c26eb8
-
SHA1
ba929a1fb3747b49c8db5d7a0549df053210bbba
-
SHA256
acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41
-
SHA512
17bafa8e21e8f8f58ef14cd751779ac61d51cad58359364c8fc7f9b9234cf1174441ee2dab5a86a3ade5a6463eab2a14bb4b017073e938fcf47c066043cebb15
-
SSDEEP
49152:V0A6thy7cNEuxcI7UgA8HV+Mh5O+6N/xKkT36+q+b:CA2hNtuI7UgA81l5pIpKkrUa
Malware Config
Extracted
amadey
4.21
0e6740
http://147.45.47.155
-
install_dir
9217037dc9
-
install_file
explortu.exe
-
strings_key
8e894a8a4a3d0da8924003a561cfb244
-
url_paths
/ku4Nor9/index.php
Extracted
amadey
4.21
49e482
http://147.45.47.70
-
install_dir
1b29d73536
-
install_file
axplont.exe
-
strings_key
4d31dd1a190d9879c21fac6d87dc0043
-
url_paths
/tr8nomy/index.php
Extracted
xehook
2.1.5 Stable
https://ussrconnect.ru/
https://c0nnect1ng.ru/
https://vodkaenjoy.ru/
-
id
105
-
token
xehook105401801
Extracted
risepro
147.45.47.126:58709
Signatures
-
Detect Xehook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2076-89-0x0000000000400000-0x000000000042C000-memory.dmp family_xehook -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
Processes:
88657694a5.exe2038dce7a2.exeaxplont.exeexplortu.exeacda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 88657694a5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2038dce7a2.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explortu.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplont.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explortu.exeacda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exeexplortu.exe2038dce7a2.exeaxplont.exeaxplont.exe88657694a5.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2038dce7a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 88657694a5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 88657694a5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2038dce7a2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explortu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplont.exe -
Executes dropped EXE 11 IoCs
Processes:
explortu.exe88657694a5.exe2038dce7a2.exeaxplont.exevictor.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exepid process 2908 explortu.exe 2684 88657694a5.exe 888 2038dce7a2.exe 4252 axplont.exe 1064 victor.exe 4336 axplont.exe 4952 explortu.exe 3208 axplont.exe 1984 explortu.exe 2896 axplont.exe 3808 explortu.exe -
Identifies Wine through registry keys 2 TTPs 11 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explortu.exe88657694a5.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeacda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe2038dce7a2.exeaxplont.exeaxplont.exeexplortu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine 88657694a5.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine explortu.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine 2038dce7a2.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine axplont.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Wine explortu.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
explortu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\2038dce7a2.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\2038dce7a2.exe" explortu.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
Processes:
acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exeexplortu.exe88657694a5.exe2038dce7a2.exeaxplont.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exepid process 1060 acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe 2908 explortu.exe 2684 88657694a5.exe 888 2038dce7a2.exe 4252 axplont.exe 4336 axplont.exe 4952 explortu.exe 3208 axplont.exe 1984 explortu.exe 2896 axplont.exe 3808 explortu.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
victor.exedescription pid process target process PID 1064 set thread context of 2076 1064 victor.exe RegAsm.exe -
Drops file in Windows directory 2 IoCs
Processes:
88657694a5.exeacda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exedescription ioc process File created C:\Windows\Tasks\axplont.job 88657694a5.exe File created C:\Windows\Tasks\explortu.job acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4928 1064 WerFault.exe victor.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exeexplortu.exe88657694a5.exe2038dce7a2.exeaxplont.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exeaxplont.exeexplortu.exepid process 1060 acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe 1060 acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe 2908 explortu.exe 2908 explortu.exe 2684 88657694a5.exe 2684 88657694a5.exe 888 2038dce7a2.exe 888 2038dce7a2.exe 4252 axplont.exe 4252 axplont.exe 4336 axplont.exe 4336 axplont.exe 4952 explortu.exe 4952 explortu.exe 3208 axplont.exe 3208 axplont.exe 1984 explortu.exe 1984 explortu.exe 2896 axplont.exe 2896 axplont.exe 3808 explortu.exe 3808 explortu.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2076 RegAsm.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
88657694a5.exepid process 2684 88657694a5.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exeexplortu.exe88657694a5.exeaxplont.exevictor.exedescription pid process target process PID 1060 wrote to memory of 2908 1060 acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe explortu.exe PID 1060 wrote to memory of 2908 1060 acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe explortu.exe PID 1060 wrote to memory of 2908 1060 acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe explortu.exe PID 2908 wrote to memory of 2124 2908 explortu.exe explortu.exe PID 2908 wrote to memory of 2124 2908 explortu.exe explortu.exe PID 2908 wrote to memory of 2124 2908 explortu.exe explortu.exe PID 2908 wrote to memory of 2684 2908 explortu.exe 88657694a5.exe PID 2908 wrote to memory of 2684 2908 explortu.exe 88657694a5.exe PID 2908 wrote to memory of 2684 2908 explortu.exe 88657694a5.exe PID 2684 wrote to memory of 4252 2684 88657694a5.exe axplont.exe PID 2684 wrote to memory of 4252 2684 88657694a5.exe axplont.exe PID 2684 wrote to memory of 4252 2684 88657694a5.exe axplont.exe PID 2908 wrote to memory of 888 2908 explortu.exe 2038dce7a2.exe PID 2908 wrote to memory of 888 2908 explortu.exe 2038dce7a2.exe PID 2908 wrote to memory of 888 2908 explortu.exe 2038dce7a2.exe PID 4252 wrote to memory of 1064 4252 axplont.exe victor.exe PID 4252 wrote to memory of 1064 4252 axplont.exe victor.exe PID 4252 wrote to memory of 1064 4252 axplont.exe victor.exe PID 1064 wrote to memory of 2076 1064 victor.exe RegAsm.exe PID 1064 wrote to memory of 2076 1064 victor.exe RegAsm.exe PID 1064 wrote to memory of 2076 1064 victor.exe RegAsm.exe PID 1064 wrote to memory of 2076 1064 victor.exe RegAsm.exe PID 1064 wrote to memory of 2076 1064 victor.exe RegAsm.exe PID 1064 wrote to memory of 2076 1064 victor.exe RegAsm.exe PID 1064 wrote to memory of 2076 1064 victor.exe RegAsm.exe PID 1064 wrote to memory of 2076 1064 victor.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe"C:\Users\Admin\AppData\Local\Temp\acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"3⤵PID:2124
-
-
C:\Users\Admin\1000004002\88657694a5.exe"C:\Users\Admin\1000004002\88657694a5.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\1000025001\victor.exe"C:\Users\Admin\AppData\Local\Temp\1000025001\victor.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 2726⤵
- Program crash
PID:4928
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000005001\2038dce7a2.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\2038dce7a2.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:888
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1064 -ip 10641⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4336
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4952
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3208
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
C:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exeC:\Users\Admin\AppData\Local\Temp\1b29d73536\axplont.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2896
-
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exeC:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5d8f7b65b86688baada4a017648e22855
SHA15e226a7dc835bf44f562523b3116bd9681755296
SHA2564ae8a0ac75ea76fc633f6757c92830dbce8905317952b13e9512c70bc6e601e4
SHA5122235f03d59d5630be241a0802c6feb0de1a3a8747c1fa550f3f3eee316850496238544b6dcfe015a5a4a9bacecdb0ff80bd72efac86b8408efd74561a517dedd
-
Filesize
2.3MB
MD5bb9d0873c59e7c04316586f2ec66c6bf
SHA1ef6b0685ed8cddcd7bfaea7ba1b19e8f3d26e48b
SHA256d0557d1508baa5a759b75ec549e77b5cbe924f25c4ad3be7a3fe55785018044a
SHA512937a102182ed66eeeeb65219d789dcc173b61b0b27a2e00dc7586eec484aee71f80a470125428e4b28fed2152a509a1aac64271ee6414b0138c4bf7b38e078f5
-
Filesize
1.0MB
MD5585d16749fda38cb7f8a987137890167
SHA10b3f1064b2f0ddf397552e442e99e1c233c67df1
SHA256496219a22d96d4eb4c699045521b7fa73bba242d4e84e62f565e8d8046fa00c5
SHA512784c3a2e3fa3e90f57ed059a5bc204441da3ebc173a93b67e752f84cc2e2cf0f4ddc49aabeaa3233053e49d51633f6bb93a90c0735292084305b00bf79b2c632
-
Filesize
1.8MB
MD57f64c8714d90b8bd315d88aeb6c26eb8
SHA1ba929a1fb3747b49c8db5d7a0549df053210bbba
SHA256acda11a060876d8a641b995761d2569ba0b419e25640d1124258b2429c0acf41
SHA51217bafa8e21e8f8f58ef14cd751779ac61d51cad58359364c8fc7f9b9234cf1174441ee2dab5a86a3ade5a6463eab2a14bb4b017073e938fcf47c066043cebb15