Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2024, 18:59 UTC
Static task
static1
Behavioral task
behavioral1
Sample
31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
Resource
win7-20240903-en
General
-
Target
31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe
-
Size
165KB
-
MD5
cd0e91bba7713d1a7c66d50c4f9aed90
-
SHA1
fc4dde2537881ce341b8054fe64a9659a235bfaa
-
SHA256
31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095
-
SHA512
2a1eb564056bb3ea26d4ec36ba1c88482ec7fb26b788dbcde7389f654400403519d0d9c82ec544694e668ddbebba0b3a28ca4e70bf0e452764a6b5ada50615a5
-
SSDEEP
3072:EfkfcHxa/ZrtSBnZ+k2/d7V2g855t1dRTvydaDgA+XtZ4X:akfcHxaRhS7+kId/85zLRxgAiZ4
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral2/memory/2928-18-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/2520-19-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/2520-72-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/1344-75-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot behavioral2/memory/2520-184-0x0000000000400000-0x0000000000445000-memory.dmp family_cycbot -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe" 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe -
resource yara_rule behavioral2/memory/2520-1-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2928-17-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2928-18-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2520-19-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2520-72-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/1344-74-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/1344-75-0x0000000000400000-0x0000000000445000-memory.dmp upx behavioral2/memory/2520-184-0x0000000000400000-0x0000000000445000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2928 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 84 PID 2520 wrote to memory of 2928 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 84 PID 2520 wrote to memory of 2928 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 84 PID 2520 wrote to memory of 1344 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 85 PID 2520 wrote to memory of 1344 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 85 PID 2520 wrote to memory of 1344 2520 31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe"C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exeC:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming2⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exeC:\Users\Admin\AppData\Local\Temp\31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp2⤵
- System Location Discovery: System Language Discovery
PID:1344
-
Network
-
Remote address:8.8.8.8:53Requestgreenherbalteaonline.comIN AResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmediadryvers.comIN AResponse
-
Remote address:8.8.8.8:53Requestmilkiwals.comIN AResponse
-
Remote address:8.8.8.8:53Requestzonedg.comIN AResponsezonedg.comIN A103.224.212.214
-
POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbedv1sTuDuw9hx4W4%2F4%2B7G3n72bEr0%2FLeqd%2FdvX%2BP9nf9i9xg4lP7MogWBGT7iisTdBYFpOej6wb518i8OsL%2BB6GL3GB%2BjucSjf%2BFpPOPuwd13Uq%2F3vleWbkY%3D31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exeRemote address:103.224.212.214:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbedv1sTuDuw9hx4W4%2F4%2B7G3n72bEr0%2FLeqd%2FdvX%2BP9nf9i9xg4lP7MogWBGT7iisTdBYFpOej6wb518i8OsL%2BB6GL3GB%2BjucSjf%2BFpPOPuwd13Uq%2F3vleWbkY%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 302 Found
server: Apache
set-cookie: __tad=1734029996.3402048; expires=Sun, 10-Dec-2034 18:59:56 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbedv1sTuDuw9hx4W4%2F4%2B7G3n72bEr0%2FLeqd%2FdvX%2BP9nf9i9xg4lP7MogWBGT7iisTdBYFpOej6wb518i8OsL%2BB6GL3GB%2BjucSjf%2BFpPOPuwd13Uq%2F3vleWbkY%3D&subid1=20241213-0559-56d8-b679-b5b30699ee04
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
-
POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbedv1sTuDuw9hx4W4%2F4%2B7G3n72bEr0%2FLeqd%2FdvX%2BP9nf9i9xg4lP7MogWBGT7iisTdBYFpOej6wb518i8OsL%2BB6GL3GB%2BjucSsdOFpPOPuwd11Uq%2F3vleWbkY%3D31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exeRemote address:103.224.212.214:80RequestPOST /index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbedv1sTuDuw9hx4W4%2F4%2B7G3n72bEr0%2FLeqd%2FdvX%2BP9nf9i9xg4lP7MogWBGT7iisTdBYFpOej6wb518i8OsL%2BB6GL3GB%2BjucSsdOFpPOPuwd11Uq%2F3vleWbkY%3D HTTP/1.1
Host: zonedg.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Length: 0
Connection: close
ResponseHTTP/1.1 302 Found
server: Apache
set-cookie: __tad=1734029996.2611109; expires=Sun, 10-Dec-2034 18:59:56 GMT; Max-Age=315360000
location: http://ww25.zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbedv1sTuDuw9hx4W4%2F4%2B7G3n72bEr0%2FLeqd%2FdvX%2BP9nf9i9xg4lP7MogWBGT7iisTdBYFpOej6wb518i8OsL%2BB6GL3GB%2BjucSsdOFpPOPuwd11Uq%2F3vleWbkY%3D&subid1=20241213-0559-5662-99ae-74ed3756acd4
content-length: 2
content-type: text/html; charset=UTF-8
connection: close
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request214.212.224.103.in-addr.arpaIN PTRResponse214.212.224.103.in-addr.arpaIN PTRlb-212-214abovecom
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestmaildbaccess.comIN AResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A172.217.20.164
-
Remote address:172.217.20.164:80RequestGET / HTTP/1.0
Connection: close
Host: www.google.com
Accept: */*
ResponseHTTP/1.0 302 Found
x-hallmonitor-challenge: CgwI1OXsugYQnM35lgESBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-Yf5UmN1cVfX-f5UkvpSUIw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 12 Dec 2024 19:00:36 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-WMTGgbdJgLp5vaV66EQYs6WeSwCqQuykbWPp9-6WTSrYCsuMARvg; expires=Tue, 10-Jun-2025 19:00:36 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
-
Remote address:172.217.20.164:80RequestGET / HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 302 Found
x-hallmonitor-challenge: CgwI1OXsugYQoJS1vAISBLXXsFM
Content-Type: text/html; charset=UTF-8
Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-ebm-dQao_1YVzfJcBW9Kwg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
Date: Thu, 12 Dec 2024 19:00:36 GMT
Server: gws
Content-Length: 396
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Set-Cookie: AEC=AZ6Zc-ViKY69ySIZ6IkTZH6z4AJZcVOa2MDiYVOgHoIMlvv3r5E4fd_-ww; expires=Tue, 10-Jun-2025 19:00:36 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
Connection: close
-
Remote address:8.8.8.8:53Request164.20.217.172.in-addr.arpaIN PTRResponse164.20.217.172.in-addr.arpaIN PTRwaw02s07-in-f41e100net164.20.217.172.in-addr.arpaIN PTRpar10s49-in-f4�H164.20.217.172.in-addr.arpaIN PTRwaw02s07-in-f164�H
-
GEThttp://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNTl7LoGIjCOIKi563-g2GoDa5fq5coWLohuwuQsNNYmPDjJWxb_XamhPLPlj7wFxOY5-yqVSe8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exeRemote address:172.217.20.164:80RequestGET /sorry/index?continue=http://www.google.com/&q=EgS117BTGNTl7LoGIjCOIKi563-g2GoDa5fq5coWLohuwuQsNNYmPDjJWxb_XamhPLPlj7wFxOY5-yqVSe8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1
Connection: close
Pragma: no-cache
Host: www.google.com
ResponseHTTP/1.1 429 Too Many Requests
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
Server: HTTP server (unknown)
Content-Length: 3075
X-XSS-Protection: 0
Connection: close
-
Remote address:8.8.8.8:53Request180.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
103.224.212.214:80http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbedv1sTuDuw9hx4W4%2F4%2B7G3n72bEr0%2FLeqd%2FdvX%2BP9nf9i9xg4lP7MogWBGT7iisTdBYFpOej6wb518i8OsL%2BB6GL3GB%2BjucSjf%2BFpPOPuwd13Uq%2F3vleWbkY%3Dhttp31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe585 B 718 B 5 4
HTTP Request
POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbedv1sTuDuw9hx4W4%2F4%2B7G3n72bEr0%2FLeqd%2FdvX%2BP9nf9i9xg4lP7MogWBGT7iisTdBYFpOej6wb518i8OsL%2BB6GL3GB%2BjucSjf%2BFpPOPuwd13Uq%2F3vleWbkY%3DHTTP Response
302 -
103.224.212.214:80http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbedv1sTuDuw9hx4W4%2F4%2B7G3n72bEr0%2FLeqd%2FdvX%2BP9nf9i9xg4lP7MogWBGT7iisTdBYFpOej6wb518i8OsL%2BB6GL3GB%2BjucSsdOFpPOPuwd11Uq%2F3vleWbkY%3Dhttp31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe583 B 716 B 5 4
HTTP Request
POST http://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfxoX%2BP9h%2BI0sDkX9PiwomL2GUvg7sbedv1sTuDuw9hx4W4%2F4%2B7G3n72bEr0%2FLeqd%2FdvX%2BP9nf9i9xg4lP7MogWBGT7iisTdBYFpOej6wb518i8OsL%2BB6GL3GB%2BjucSsdOFpPOPuwd11Uq%2F3vleWbkY%3DHTTP Response
302 -
-
172.217.20.164:80http://www.google.com/http31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe348 B 1.5kB 6 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
-
172.217.20.164:80http://www.google.com/http31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe307 B 1.5kB 5 5
HTTP Request
GET http://www.google.com/HTTP Response
302 -
172.217.20.164:80http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNTl7LoGIjCOIKi563-g2GoDa5fq5coWLohuwuQsNNYmPDjJWxb_XamhPLPlj7wFxOY5-yqVSe8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMhttp31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe526 B 3.7kB 6 7
HTTP Request
GET http://www.google.com/sorry/index?continue=http://www.google.com/&q=EgS117BTGNTl7LoGIjCOIKi563-g2GoDa5fq5coWLohuwuQsNNYmPDjJWxb_XamhPLPlj7wFxOY5-yqVSe8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUMHTTP Response
429 -
-
-
-
8.8.8.8:53greenherbalteaonline.comdns31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe70 B 143 B 1 1
DNS Request
greenherbalteaonline.com
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
224 B 4
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
8.8.8.8:53mediadryvers.comdns31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe62 B 135 B 1 1
DNS Request
mediadryvers.com
-
59 B 132 B 1 1
DNS Request
milkiwals.com
-
56 B 72 B 1 1
DNS Request
zonedg.com
DNS Response
103.224.212.214
-
74 B 108 B 1 1
DNS Request
214.212.224.103.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
8.8.8.8:53maildbaccess.comdns31517a026e70dc7b2620892bc48f86cf1ee219bfa0da56802184f4a30fd6b095N.exe62 B 135 B 1 1
DNS Request
maildbaccess.com
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
www.google.com
DNS Response
172.217.20.164
-
73 B 171 B 1 1
DNS Request
164.20.217.172.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
180.129.81.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5307c49262d13e33386fc157b72571ca4
SHA1c0ff90e2942312119bf8e511e58d71ff0f29b8da
SHA256fd739d20683d941173009e1c867dae81f1cc33586341fff900519928e69eed6b
SHA512aeb233baa4bb88a9f5111d4dd0eec781588f8a930d6771daaf089e02ec108f2d71c3ff3eeb1b9e7db0cfc994cb53803e89453b5c47cb16c1525d1a8a8b6dea22
-
Filesize
897B
MD59ed8d85c4687b5da8da0adc74049771d
SHA14a37c7b4aac3167680b688ea7d904c3c9b10543b
SHA25688ed9921bde8746306cfe34512f764e8591905934b1444693f4dc5368f507dc6
SHA512d096693ad2d5058553ee6033595a4baac40a7db3dfef025bf86fa8c5504995f533725a94a759457d0ab2baf11242245725d524f43f6bc29abd5e42e3b6876a4f
-
Filesize
1KB
MD5633c7ac80a09523c4d52711651025bff
SHA1b8054fa6a035274756c8906895b9d46e77acb4f4
SHA2562a895c528bfc05e56aab02467b891665f2fd03dc17ef59fc83bb6e39b78ecd3a
SHA512afefb23ddb220d7049c8d786d22f2043178c6fd5a60e87f56537fbf17fa7b39af65b5fca8b87e04de8437cc019e2668488458daf966a8e2c9a5deea5631805b2
-
Filesize
597B
MD53e8c2045570149b2003e090d0624e200
SHA1f39996dfde1340d76262f6975c72c3dfac773037
SHA25659f8ca440d8b52b33a434db5e5bf90336972afada2ef542bb9704b07dd74c3e7
SHA512ac57465e72bad48fcb262ffb3e8d90a4eae589511950695e653693f71be12275b33b5207165fe61b620d8b611bb73c27ac46e8827df7205c96e1dc491fc694be