Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 19:01
Behavioral task
behavioral1
Sample
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe
Resource
win10v2004-20241007-en
General
-
Target
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe
-
Size
2.0MB
-
MD5
63f37a60aae7dc1cc35d06f53a620299
-
SHA1
6a9028c5474842b72b8e45fd641eba8ab5911d6d
-
SHA256
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca
-
SHA512
921a9834c68b70b1f0e2459ff284b1fc751c5b1cfe59c6f6633b74c0cc0345e12db89b4f01c95b69c843085c76bc9c09c7233a81ef38e6df9c9eac70bd2fa0d2
-
SSDEEP
49152:YsThC6TYNwUXz+JR2wjx8+X5gZ+th1aaucQPfM7cSCGDt7WWcrRhajx3l7bQonWF:YsThC6TYNwUXz+JR2wjx8+JgZ+th1aas
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\bot.exe = "C:\\Users\\Admin\\AppData\\Roaming\\bot.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\Windowsdef.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe -
Executes dropped EXE 3 IoCs
Processes:
Windowsdef.exeWindowsdef.exeWindowsdef.exepid Process 2124 Windowsdef.exe 4240 Windowsdef.exe 1208 Windowsdef.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDef = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\Windowsdef.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Windowsdef.exedescription pid Process procid_target PID 2124 set thread context of 4240 2124 Windowsdef.exe 91 PID 2124 set thread context of 1208 2124 Windowsdef.exe 92 -
Processes:
resource yara_rule behavioral2/memory/3696-0-0x0000000000400000-0x00000000005FD000-memory.dmp upx behavioral2/files/0x000d000000023b52-16.dat upx behavioral2/memory/3696-28-0x0000000000400000-0x00000000005FD000-memory.dmp upx behavioral2/memory/4240-36-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-34-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1208-41-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/1208-44-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/2124-48-0x0000000000400000-0x00000000005FD000-memory.dmp upx behavioral2/memory/1208-37-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4240-31-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-51-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/1208-52-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral2/memory/4240-53-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-58-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-60-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-62-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-65-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-67-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-69-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-72-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-74-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4240-76-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.exereg.exereg.execmd.execmd.exeWindowsdef.exeWindowsdef.exeWindowsdef.exereg.exea1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.execmd.exereg.exereg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windowsdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windowsdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windowsdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid Process 2724 reg.exe 2740 reg.exe 1368 reg.exe 1552 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
Windowsdef.exeWindowsdef.exedescription pid Process Token: SeDebugPrivilege 1208 Windowsdef.exe Token: 1 4240 Windowsdef.exe Token: SeCreateTokenPrivilege 4240 Windowsdef.exe Token: SeAssignPrimaryTokenPrivilege 4240 Windowsdef.exe Token: SeLockMemoryPrivilege 4240 Windowsdef.exe Token: SeIncreaseQuotaPrivilege 4240 Windowsdef.exe Token: SeMachineAccountPrivilege 4240 Windowsdef.exe Token: SeTcbPrivilege 4240 Windowsdef.exe Token: SeSecurityPrivilege 4240 Windowsdef.exe Token: SeTakeOwnershipPrivilege 4240 Windowsdef.exe Token: SeLoadDriverPrivilege 4240 Windowsdef.exe Token: SeSystemProfilePrivilege 4240 Windowsdef.exe Token: SeSystemtimePrivilege 4240 Windowsdef.exe Token: SeProfSingleProcessPrivilege 4240 Windowsdef.exe Token: SeIncBasePriorityPrivilege 4240 Windowsdef.exe Token: SeCreatePagefilePrivilege 4240 Windowsdef.exe Token: SeCreatePermanentPrivilege 4240 Windowsdef.exe Token: SeBackupPrivilege 4240 Windowsdef.exe Token: SeRestorePrivilege 4240 Windowsdef.exe Token: SeShutdownPrivilege 4240 Windowsdef.exe Token: SeDebugPrivilege 4240 Windowsdef.exe Token: SeAuditPrivilege 4240 Windowsdef.exe Token: SeSystemEnvironmentPrivilege 4240 Windowsdef.exe Token: SeChangeNotifyPrivilege 4240 Windowsdef.exe Token: SeRemoteShutdownPrivilege 4240 Windowsdef.exe Token: SeUndockPrivilege 4240 Windowsdef.exe Token: SeSyncAgentPrivilege 4240 Windowsdef.exe Token: SeEnableDelegationPrivilege 4240 Windowsdef.exe Token: SeManageVolumePrivilege 4240 Windowsdef.exe Token: SeImpersonatePrivilege 4240 Windowsdef.exe Token: SeCreateGlobalPrivilege 4240 Windowsdef.exe Token: 31 4240 Windowsdef.exe Token: 32 4240 Windowsdef.exe Token: 33 4240 Windowsdef.exe Token: 34 4240 Windowsdef.exe Token: 35 4240 Windowsdef.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exeWindowsdef.exeWindowsdef.exeWindowsdef.exepid Process 3696 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 2124 Windowsdef.exe 4240 Windowsdef.exe 1208 Windowsdef.exe 4240 Windowsdef.exe 4240 Windowsdef.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.execmd.exeWindowsdef.exeWindowsdef.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 3696 wrote to memory of 3316 3696 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 86 PID 3696 wrote to memory of 3316 3696 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 86 PID 3696 wrote to memory of 3316 3696 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 86 PID 3316 wrote to memory of 316 3316 cmd.exe 89 PID 3316 wrote to memory of 316 3316 cmd.exe 89 PID 3316 wrote to memory of 316 3316 cmd.exe 89 PID 3696 wrote to memory of 2124 3696 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 90 PID 3696 wrote to memory of 2124 3696 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 90 PID 3696 wrote to memory of 2124 3696 a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe 90 PID 2124 wrote to memory of 4240 2124 Windowsdef.exe 91 PID 2124 wrote to memory of 4240 2124 Windowsdef.exe 91 PID 2124 wrote to memory of 4240 2124 Windowsdef.exe 91 PID 2124 wrote to memory of 4240 2124 Windowsdef.exe 91 PID 2124 wrote to memory of 4240 2124 Windowsdef.exe 91 PID 2124 wrote to memory of 4240 2124 Windowsdef.exe 91 PID 2124 wrote to memory of 4240 2124 Windowsdef.exe 91 PID 2124 wrote to memory of 4240 2124 Windowsdef.exe 91 PID 2124 wrote to memory of 1208 2124 Windowsdef.exe 92 PID 2124 wrote to memory of 1208 2124 Windowsdef.exe 92 PID 2124 wrote to memory of 1208 2124 Windowsdef.exe 92 PID 2124 wrote to memory of 1208 2124 Windowsdef.exe 92 PID 2124 wrote to memory of 1208 2124 Windowsdef.exe 92 PID 2124 wrote to memory of 1208 2124 Windowsdef.exe 92 PID 2124 wrote to memory of 1208 2124 Windowsdef.exe 92 PID 2124 wrote to memory of 1208 2124 Windowsdef.exe 92 PID 4240 wrote to memory of 3592 4240 Windowsdef.exe 93 PID 4240 wrote to memory of 3592 4240 Windowsdef.exe 93 PID 4240 wrote to memory of 3592 4240 Windowsdef.exe 93 PID 4240 wrote to memory of 4224 4240 Windowsdef.exe 94 PID 4240 wrote to memory of 4224 4240 Windowsdef.exe 94 PID 4240 wrote to memory of 4224 4240 Windowsdef.exe 94 PID 4240 wrote to memory of 2260 4240 Windowsdef.exe 95 PID 4240 wrote to memory of 2260 4240 Windowsdef.exe 95 PID 4240 wrote to memory of 2260 4240 Windowsdef.exe 95 PID 4240 wrote to memory of 3960 4240 Windowsdef.exe 96 PID 4240 wrote to memory of 3960 4240 Windowsdef.exe 96 PID 4240 wrote to memory of 3960 4240 Windowsdef.exe 96 PID 3592 wrote to memory of 2724 3592 cmd.exe 101 PID 3592 wrote to memory of 2724 3592 cmd.exe 101 PID 3592 wrote to memory of 2724 3592 cmd.exe 101 PID 4224 wrote to memory of 1552 4224 cmd.exe 102 PID 4224 wrote to memory of 1552 4224 cmd.exe 102 PID 4224 wrote to memory of 1552 4224 cmd.exe 102 PID 3960 wrote to memory of 1368 3960 cmd.exe 103 PID 3960 wrote to memory of 1368 3960 cmd.exe 103 PID 3960 wrote to memory of 1368 3960 cmd.exe 103 PID 2260 wrote to memory of 2740 2260 cmd.exe 104 PID 2260 wrote to memory of 2740 2260 cmd.exe 104 PID 2260 wrote to memory of 2740 2260 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe"C:\Users\Admin\AppData\Local\Temp\a1b55be6b09d9a29939053f6bf787ad62b1c0af7f96e7397241acc9f335c3dca.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KJEDn.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDef" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:316
-
-
-
C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe"C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exeC:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2724
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1552
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2740
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\bot.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\bot.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1368
-
-
-
-
C:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exeC:\Users\Admin\AppData\Roaming\Directory\Windowsdef.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1208
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5130a1ad614bfc1851533b7a02e302622
SHA16cd68d0bacb7b24ca9baedc80d90f1bfca3bb92c
SHA2564620f5f49d3f3c3fcb10d7dd83e5fdc0b2efd44ae429ee5a8dc3e64d76e6bc9a
SHA51216b5e40deb2e66287b86bbff11ac986f36b94a5849fbe2ed7124296e95d563ec0e9b00cbd6008c993c383d1610d371177faf5a9cd5da77a34a778e901f9e7a25
-
Filesize
2.0MB
MD5b7a54016d6dc509552fa2069600fa57b
SHA1c39a3497d1609be5b9ca7dc5bf14a962ad36d217
SHA2562b250137429b48e7a0961702a03fae7ce8f07ec58c9eba56ee3ce4598a700725
SHA5127095601b58a09d96b340658109e501967a5f8a38380096dfc8d6e8315a058da4c902f70d83f752827e790fc5ac7e85dd57d10002ec95f2ec77e28794538f4fbf