Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 09:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
120 seconds
General
-
Target
10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe
-
Size
966KB
-
MD5
22977eaececc124b167967723f591e76
-
SHA1
b209dc0f7a983c03a80885607b826f3e6879b4bc
-
SHA256
10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903
-
SHA512
ffd739b82dee5791cf4a932d1d8f7a67d14ec851cc49a433cf404cbc885b785eba67848131365ce38cddd5940dd1174b18ec21572301fcc074f2faed599a40f7
-
SSDEEP
12288:N3TD4DnRfwKl+znaNpofSsa9Pi+W9iXqpea3wJWIfBT3PGUE0/DrRrPGVJ:FTQuKl+zsUC6J9i+3wJRT3PI0/xGj
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
74.65.183.83:1604
74.65.183.83:25565
74.65.183.83:1122
74.65.183.83:100
Mutex
DC_MUTEX-XH87550
Attributes
-
InstallPath
WindowsUpdate.exe
-
gencode
MwBxQSYoXbQb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
WindoesUpdate.dll
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\WindowsUpdate.exe" BlackWidowV4CrackedBySkullTeam.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" WindowsUpdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile WindowsUpdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WindowsUpdate.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" WindowsUpdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WindowsUpdate.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WindowsUpdate.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4316 attrib.exe 2520 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BlackWidowV4CrackedBySkullTeam.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation BlackWidowV4CrackedBySkullTeam.exe -
Executes dropped EXE 3 IoCs
pid Process 3036 BlackWidowV4CrackedBySkullTeam.sfx.exe 4268 BlackWidowV4CrackedBySkullTeam.exe 4076 WindowsUpdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WindowsUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WindowsUpdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindoesUpdate.dll = "C:\\WindowsUpdate.exe" BlackWidowV4CrackedBySkullTeam.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindoesUpdate.dll = "C:\\WindowsUpdate.exe" WindowsUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlackWidowV4CrackedBySkullTeam.sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BlackWidowV4CrackedBySkullTeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4076 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeSecurityPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeTakeOwnershipPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeLoadDriverPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeSystemProfilePrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeSystemtimePrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeProfSingleProcessPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeIncBasePriorityPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeCreatePagefilePrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeBackupPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeRestorePrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeShutdownPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeDebugPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeSystemEnvironmentPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeChangeNotifyPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeRemoteShutdownPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeUndockPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeManageVolumePrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeImpersonatePrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeCreateGlobalPrivilege 4268 BlackWidowV4CrackedBySkullTeam.exe Token: 33 4268 BlackWidowV4CrackedBySkullTeam.exe Token: 34 4268 BlackWidowV4CrackedBySkullTeam.exe Token: 35 4268 BlackWidowV4CrackedBySkullTeam.exe Token: 36 4268 BlackWidowV4CrackedBySkullTeam.exe Token: SeIncreaseQuotaPrivilege 4076 WindowsUpdate.exe Token: SeSecurityPrivilege 4076 WindowsUpdate.exe Token: SeTakeOwnershipPrivilege 4076 WindowsUpdate.exe Token: SeLoadDriverPrivilege 4076 WindowsUpdate.exe Token: SeSystemProfilePrivilege 4076 WindowsUpdate.exe Token: SeSystemtimePrivilege 4076 WindowsUpdate.exe Token: SeProfSingleProcessPrivilege 4076 WindowsUpdate.exe Token: SeIncBasePriorityPrivilege 4076 WindowsUpdate.exe Token: SeCreatePagefilePrivilege 4076 WindowsUpdate.exe Token: SeBackupPrivilege 4076 WindowsUpdate.exe Token: SeRestorePrivilege 4076 WindowsUpdate.exe Token: SeShutdownPrivilege 4076 WindowsUpdate.exe Token: SeDebugPrivilege 4076 WindowsUpdate.exe Token: SeSystemEnvironmentPrivilege 4076 WindowsUpdate.exe Token: SeChangeNotifyPrivilege 4076 WindowsUpdate.exe Token: SeRemoteShutdownPrivilege 4076 WindowsUpdate.exe Token: SeUndockPrivilege 4076 WindowsUpdate.exe Token: SeManageVolumePrivilege 4076 WindowsUpdate.exe Token: SeImpersonatePrivilege 4076 WindowsUpdate.exe Token: SeCreateGlobalPrivilege 4076 WindowsUpdate.exe Token: 33 4076 WindowsUpdate.exe Token: 34 4076 WindowsUpdate.exe Token: 35 4076 WindowsUpdate.exe Token: 36 4076 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4076 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2448 wrote to memory of 3616 2448 10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe 83 PID 2448 wrote to memory of 3616 2448 10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe 83 PID 2448 wrote to memory of 3616 2448 10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe 83 PID 3616 wrote to memory of 3036 3616 cmd.exe 86 PID 3616 wrote to memory of 3036 3616 cmd.exe 86 PID 3616 wrote to memory of 3036 3616 cmd.exe 86 PID 3036 wrote to memory of 4268 3036 BlackWidowV4CrackedBySkullTeam.sfx.exe 87 PID 3036 wrote to memory of 4268 3036 BlackWidowV4CrackedBySkullTeam.sfx.exe 87 PID 3036 wrote to memory of 4268 3036 BlackWidowV4CrackedBySkullTeam.sfx.exe 87 PID 4268 wrote to memory of 4884 4268 BlackWidowV4CrackedBySkullTeam.exe 89 PID 4268 wrote to memory of 4884 4268 BlackWidowV4CrackedBySkullTeam.exe 89 PID 4268 wrote to memory of 4884 4268 BlackWidowV4CrackedBySkullTeam.exe 89 PID 4268 wrote to memory of 1792 4268 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4268 wrote to memory of 1792 4268 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4268 wrote to memory of 1792 4268 BlackWidowV4CrackedBySkullTeam.exe 90 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 1916 4268 BlackWidowV4CrackedBySkullTeam.exe 92 PID 4268 wrote to memory of 4076 4268 BlackWidowV4CrackedBySkullTeam.exe 94 PID 4268 wrote to memory of 4076 4268 BlackWidowV4CrackedBySkullTeam.exe 94 PID 4268 wrote to memory of 4076 4268 BlackWidowV4CrackedBySkullTeam.exe 94 PID 4076 wrote to memory of 4892 4076 WindowsUpdate.exe 95 PID 4076 wrote to memory of 4892 4076 WindowsUpdate.exe 95 PID 4076 wrote to memory of 4892 4076 WindowsUpdate.exe 95 PID 1792 wrote to memory of 4316 1792 cmd.exe 96 PID 1792 wrote to memory of 4316 1792 cmd.exe 96 PID 1792 wrote to memory of 4316 1792 cmd.exe 96 PID 4076 wrote to memory of 2648 4076 WindowsUpdate.exe 97 PID 4076 wrote to memory of 2648 4076 WindowsUpdate.exe 97 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 PID 4076 wrote to memory of 2304 4076 WindowsUpdate.exe 98 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" WindowsUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion WindowsUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern WindowsUpdate.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4316 attrib.exe 2520 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe"C:\Users\Admin\AppData\Local\Temp\10174037f6bab4969360f655ef10a911e535d19b2c731fbe95623b1855050903.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\dll.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BlackWidowV4CrackedBySkullTeam.sfx.exeBlackWidowV4CrackedBySkullTeam.sfx -parrow1998 -dC:\Users\Admin\AppData\Roaming3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe" +s +h5⤵
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BlackWidowV4CrackedBySkullTeam.exe" +s +h6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1" +s +h5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\RarSFX1" +s +h6⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4316
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
PID:1916
-
-
C:\WindowsUpdate.exe"C:\WindowsUpdate.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4076 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵PID:4892
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"6⤵PID:2648
-
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
519KB
MD54b7cf29e9744da36f072c88a9372395a
SHA1c9e206d3d81c8b604860c3dd379ee059676aa409
SHA25600f0d8dd7eb761c34048df8706a526963150d95f592ef7e9bb4caa93947114bb
SHA512418be4347a2cc3a50059d707a5a438f707c1385b013a7409d95139b6b8f22f1416d576c6d1c44eea4e930803a50888e0a109c4b2b23c40c4f96f84e5d6a7e303
-
Filesize
58B
MD5d2f7f27d6885c2afea6c3ad5bc6c1190
SHA1f2b23abe2f2d90ca61b1b356e7e125b1f7d41798
SHA2561c4d169e0bb2016066e4e545c89426addb0aaaf58240d2740be8d85753b94261
SHA51235d50b0c23725d40b15e0b7627e8228f02cd26b606c1d2815d1f2ff03ee5098877ab52d8527987b46d425ea34ea258d4710a7f48555a70b8afce5863c1442caa
-
Filesize
1004KB
MD5997c248b8c1ff1e99aaa40e8384331f4
SHA1ca765e630e0fb9ab4837ea0389c012cf12da02f6
SHA2563a4da5311a97fa8a4e8142b6e4847e9effd69b3d6abe7c3bd0a5922cf1bc3cf2
SHA51219a98ba43953fdb7acd721b1fdc3ee96d6964820b04cea6538fe835d0d0047d38ff76f11d9525eb339c9e489e55c0d752ab6cc2eddf1cd7336772dfb00a90166