Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 07:00
Static task
static1
Behavioral task
behavioral1
Sample
98512fdc1d3b34e2196ca5b34e14f29c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
98512fdc1d3b34e2196ca5b34e14f29c.exe
Resource
win10v2004-20240802-en
General
-
Target
98512fdc1d3b34e2196ca5b34e14f29c.exe
-
Size
4.8MB
-
MD5
98512fdc1d3b34e2196ca5b34e14f29c
-
SHA1
460f2bbed2bc7419c1664d7f8a9e284e5b9bea83
-
SHA256
1478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399
-
SHA512
ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0
-
SSDEEP
3072:patWqvozZqlXS99bMRfCh+T5bOCYEu05ukO3JJ:pMWqcIXS99bMZ5sCYE7O3P
Malware Config
Extracted
gurcu
https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4573656473
https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendDocumen
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 98512fdc1d3b34e2196ca5b34e14f29c.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 98512fdc1d3b34e2196ca5b34e14f29c.exe -
Executes dropped EXE 5 IoCs
pid Process 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 2780 tor-real.exe 1384 98512fdc1d3b34e2196ca5b34e14f29c.exe 2420 98512fdc1d3b34e2196ca5b34e14f29c.exe 3128 98512fdc1d3b34e2196ca5b34e14f29c.exe -
Loads dropped DLL 9 IoCs
pid Process 2780 tor-real.exe 2780 tor-real.exe 2780 tor-real.exe 2780 tor-real.exe 2780 tor-real.exe 2780 tor-real.exe 2780 tor-real.exe 2780 tor-real.exe 2780 tor-real.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tor-real.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1304 cmd.exe 4980 netsh.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 112 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2116 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 428 98512fdc1d3b34e2196ca5b34e14f29c.exe Token: SeDebugPrivilege 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe Token: SeDebugPrivilege 1384 98512fdc1d3b34e2196ca5b34e14f29c.exe Token: SeDebugPrivilege 2420 98512fdc1d3b34e2196ca5b34e14f29c.exe Token: SeDebugPrivilege 3128 98512fdc1d3b34e2196ca5b34e14f29c.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 428 wrote to memory of 552 428 98512fdc1d3b34e2196ca5b34e14f29c.exe 83 PID 428 wrote to memory of 552 428 98512fdc1d3b34e2196ca5b34e14f29c.exe 83 PID 552 wrote to memory of 3436 552 cmd.exe 85 PID 552 wrote to memory of 3436 552 cmd.exe 85 PID 552 wrote to memory of 112 552 cmd.exe 86 PID 552 wrote to memory of 112 552 cmd.exe 86 PID 552 wrote to memory of 2116 552 cmd.exe 87 PID 552 wrote to memory of 2116 552 cmd.exe 87 PID 552 wrote to memory of 2412 552 cmd.exe 88 PID 552 wrote to memory of 2412 552 cmd.exe 88 PID 2412 wrote to memory of 2780 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 89 PID 2412 wrote to memory of 2780 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 89 PID 2412 wrote to memory of 2780 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 89 PID 2412 wrote to memory of 1304 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 92 PID 2412 wrote to memory of 1304 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 92 PID 1304 wrote to memory of 392 1304 cmd.exe 94 PID 1304 wrote to memory of 392 1304 cmd.exe 94 PID 1304 wrote to memory of 4980 1304 cmd.exe 95 PID 1304 wrote to memory of 4980 1304 cmd.exe 95 PID 1304 wrote to memory of 1744 1304 cmd.exe 96 PID 1304 wrote to memory of 1744 1304 cmd.exe 96 PID 2412 wrote to memory of 2948 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 97 PID 2412 wrote to memory of 2948 2412 98512fdc1d3b34e2196ca5b34e14f29c.exe 97 PID 2948 wrote to memory of 1936 2948 cmd.exe 99 PID 2948 wrote to memory of 1936 2948 cmd.exe 99 PID 2948 wrote to memory of 4692 2948 cmd.exe 100 PID 2948 wrote to memory of 4692 2948 cmd.exe 100 PID 2948 wrote to memory of 4552 2948 cmd.exe 101 PID 2948 wrote to memory of 4552 2948 cmd.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 98512fdc1d3b34e2196ca5b34e14f29c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98512fdc1d3b34e2196ca5b34e14f29c.exe"C:\Users\Admin\AppData\Local\Temp\98512fdc1d3b34e2196ca5b34e14f29c.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "98512fdc1d3b34e2196ca5b34e14f29c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\98512fdc1d3b34e2196ca5b34e14f29c.exe" &&START "" "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:3436
-
-
C:\Windows\system32\timeout.exetimeout /t 33⤵
- Delays execution with timeout.exe
PID:112
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "98512fdc1d3b34e2196ca5b34e14f29c" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2116
-
-
C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe"C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2412 -
C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\tor-real.exe"C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\tor-real.exe" -f "C:\Users\Admin\AppData\Local\lwblm0rcyp\tor\torrc.txt"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:392
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4980
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"5⤵PID:1744
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"4⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1936
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4692
-
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"5⤵PID:4552
-
-
-
-
-
C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exeC:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exeC:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
C:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exeC:\Users\Admin\AppData\Local\Starlabs\98512fdc1d3b34e2196ca5b34e14f29c.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3128
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fc1be6f3f52d5c841af91f8fc3f790cb
SHA1ac79b4229e0a0ce378ae22fc6104748c5f234511
SHA2566da862f7c7feffca99cd58712ece93928c6ca6aed617f5d8c10a4718eaa2a910
SHA5122f46165017309ee1a0c1b23e30a71e52e86ad8933e2649bf58c3f4628c5aa75659f5b8f6be32c2882f220b2f3ff2fd50d8766bf0a3708c94c2c634c051a05ea6
-
Filesize
4.8MB
MD598512fdc1d3b34e2196ca5b34e14f29c
SHA1460f2bbed2bc7419c1664d7f8a9e284e5b9bea83
SHA2561478772a2208da0b42fd08d2e4f3506259d09c50b5af093471d6c874bf19b399
SHA512ba83759ab4a14007c8344fa665329898d520f640cfab6ec7b177b191f423aa9ec9d07577d64fe11d3cbf56be1744f2e66c1fd0c8a6529fd867377e62445cd6a0
-
Filesize
4B
MD5ce4449660c6523b377b22a1dc2da5556
SHA1506899372df4c7eab08180af3f2baa8dccfa1063
SHA256490c19f4dfce16f41a6f60a265bf762f88efd01a9e639e3dc4d2724435cddae1
SHA512ae8f8d227090a4721eaa45590177f7fe75041a614d52555f3dbe47d2731b4af4f579e1759c199276b79effd525b4ef7e2ce85b3a5e5bd01cb50d3fa6c47d6997
-
Filesize
2.8MB
MD5b15b738c20b84e450133c57030b516fc
SHA10fc863cd397da0fc24194c6338f430574f27bae2
SHA256c3f6dc1daaf66bfc938da3078aee6f8b8b199a511376bb7c58c75d8f88b32a07
SHA512be0eee320b4ffee0b091c008b921922b745499e370a4627b75e3ec8bf75f4f72f67388841440cf1a1c80ca0883e5ce8dadb692ebf4565ddf787f7a7e741e1e48
-
Filesize
9.1MB
MD5cfe317bbce6a25a7c59445d753b9d204
SHA17e2a8204033f057d49e148095f0801055d752b78
SHA25631454436ef1c67f377b9fb1a147e0748dc3210d8d72aa3face52f13ba749cea8
SHA5120c2c7bf4d33867e4813e16c50a7c386d734bd6ae3be1b2ba36d97d3a791ecb46f346411d5501906a650a9f2f37ec131396594662c7346b70bcf468f1932cd82d
-
Filesize
64B
MD5d69c3d7c4293344758485aa2adb2eb30
SHA1afc70fb40667b9900dd18309d41312d4a95b4b8d
SHA256d94de6ca2990fc125bc823f8aed9947b94d173fa3cc939df8fac523428f9dea8
SHA512f4efcf9afe15d6e89f07fdbe80512ecb13513f0ada77bed437e17f2b2f74304d096087c9a315e6cd3b19c55a38bbf5f9d85d4464d046fc81ca056e54d16fc515
-
Filesize
3.5MB
MD56d48d76a4d1c9b0ff49680349c4d28ae
SHA11bb3666c16e11eff8f9c3213b20629f02d6a66cb
SHA2563f08728c7a67e4998fbdc7a7cb556d8158efdcdaf0acf75b7789dccace55662d
SHA51209a4fd7b37cf52f6a0c3bb0a7517e2d2439f4af8e03130aed3296d7448585ea5e3c0892e1e1202f658ef2d083ce13c436779e202c39620a70a17b026705c65c9
-
Filesize
1.1MB
MD5a3bf8e33948d94d490d4613441685eee
SHA175ed7f6e2855a497f45b15270c3ad4aed6ad02e2
SHA25691c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585
SHA512c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28
-
Filesize
1.0MB
MD5bd40ff3d0ce8d338a1fe4501cd8e9a09
SHA13aae8c33bf0ec9adf5fbf8a361445969de409b49
SHA256ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c
SHA512404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1
-
Filesize
1.1MB
MD5945d225539becc01fbca32e9ff6464f0
SHA1a614eb470defeab01317a73380f44db669100406
SHA256c697434857a039bf27238c105be0487a0c6c611dd36cb1587c3c6b3bf582718a
SHA512409f8f1e6d683a3cbe7954bce37013316dee086cdbd7ecda88acb5d94031cff6166a93b641875116327151823cce747bcf254c0185e0770e2b74b7c5e067bc4a
-
Filesize
246KB
MD5b77328da7cead5f4623748a70727860d
SHA113b33722c55cca14025b90060e3227db57bf5327
SHA25646541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7
SHA5122f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2
-
Filesize
512KB
MD519d7cc4377f3c09d97c6da06fbabc7dc
SHA13a3ba8f397fb95ed5df22896b2c53a326662fcc9
SHA256228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d
SHA51223711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a
-
Filesize
4.0MB
MD507244a2c002ffdf1986b454429eace0b
SHA1d7cd121caac2f5989aa68a052f638f82d4566328
SHA256e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf
SHA5124a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca
-
Filesize
226B
MD56a7d7376650c6d1a50f3812334c452c1
SHA1bfb9c18cc2492af0f117a2623a35f9f8e6e88dc9
SHA256f18e785fc5e1f2069a9318b3857b69dfe8aa5470d2ce8fa91ebe58208d5c2538
SHA5122a1fc4ff22135b4510233ac4351a33b25e2694db58fe90338fdfc359159dd82045c2b503279bbd67401e0b755617a5536430a70235863ade19c930e54dc57f23
-
Filesize
121KB
MD56f98da9e33cd6f3dd60950413d3638ac
SHA1e630bdf8cebc165aa81464ff20c1d55272d05675
SHA256219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773
SHA5122983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c