Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 21:50
Behavioral task
behavioral1
Sample
e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
Resource
win7-20240903-en
General
-
Target
e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
-
Size
637KB
-
MD5
f1c3e7d4f2ea34ded96047cc76392340
-
SHA1
60683db56a96afe8ef1557c10fb861ae1081097b
-
SHA256
e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758
-
SHA512
9d8cf3b1bc0bb153a364618f0e1038a87549ce9d3c89ae4fd65c24737cb1a07f31a8618fdbb7d66ef9f2e410e3616593f7ba2e2ec4fa1325b8f86147956d4e47
-
SSDEEP
12288:PFUNDaJTEgdfYe/iKg3qFE4/ywNFpdrdwzTCcdjv:PFOaKUwC5F9ywNFpdJ7cdjv
Malware Config
Extracted
quasar
1.4.0
Office04
192.168.31.99:4782
2001:4bc9:1f98:a4e::676:4782
255.255.255.0:4782
fe80::cabf:4cff:fe84:9572%17:4782
1f65a787-81b8-4955-95e4-b7751e10cd50
-
encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
-
install_name
Java Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
SubDir
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Quasar family
-
Quasar payload 4 IoCs
resource yara_rule behavioral1/files/0x000f000000018662-6.dat family_quasar behavioral1/memory/2088-11-0x0000000000DB0000-0x0000000000E34000-memory.dmp family_quasar behavioral1/files/0x000600000001878d-49.dat family_quasar behavioral1/memory/2788-78-0x0000000000DE0000-0x0000000000E64000-memory.dmp family_quasar -
Executes dropped EXE 8 IoCs
pid Process 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 2064 icsys.icn.exe 2784 explorer.exe 2688 spoolsv.exe 2780 Java Updater.exe 2704 svchost.exe 2756 spoolsv.exe 2788 java updater.exe -
Loads dropped DLL 7 IoCs
pid Process 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2064 icsys.icn.exe 2784 explorer.exe 2688 spoolsv.exe 2704 svchost.exe 2780 Java Updater.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe Java Updater.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Java Updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1976 schtasks.exe 2600 schtasks.exe 2432 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2784 explorer.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe 2704 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2704 svchost.exe 2784 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe Token: SeDebugPrivilege 2788 java updater.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 2064 icsys.icn.exe 2064 icsys.icn.exe 2784 explorer.exe 2784 explorer.exe 2688 spoolsv.exe 2688 spoolsv.exe 2704 svchost.exe 2704 svchost.exe 2780 Java Updater.exe 2756 spoolsv.exe 2780 Java Updater.exe 2756 spoolsv.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2976 wrote to memory of 2088 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 30 PID 2976 wrote to memory of 2088 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 30 PID 2976 wrote to memory of 2088 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 30 PID 2976 wrote to memory of 2088 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 30 PID 2088 wrote to memory of 1976 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 31 PID 2088 wrote to memory of 1976 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 31 PID 2088 wrote to memory of 1976 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 31 PID 2976 wrote to memory of 2064 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 33 PID 2976 wrote to memory of 2064 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 33 PID 2976 wrote to memory of 2064 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 33 PID 2976 wrote to memory of 2064 2976 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe 33 PID 2064 wrote to memory of 2784 2064 icsys.icn.exe 34 PID 2064 wrote to memory of 2784 2064 icsys.icn.exe 34 PID 2064 wrote to memory of 2784 2064 icsys.icn.exe 34 PID 2064 wrote to memory of 2784 2064 icsys.icn.exe 34 PID 2784 wrote to memory of 2688 2784 explorer.exe 35 PID 2784 wrote to memory of 2688 2784 explorer.exe 35 PID 2784 wrote to memory of 2688 2784 explorer.exe 35 PID 2784 wrote to memory of 2688 2784 explorer.exe 35 PID 2088 wrote to memory of 2780 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 36 PID 2088 wrote to memory of 2780 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 36 PID 2088 wrote to memory of 2780 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 36 PID 2088 wrote to memory of 2780 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 36 PID 2088 wrote to memory of 2780 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 36 PID 2088 wrote to memory of 2780 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 36 PID 2088 wrote to memory of 2780 2088 e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe 36 PID 2688 wrote to memory of 2704 2688 spoolsv.exe 37 PID 2688 wrote to memory of 2704 2688 spoolsv.exe 37 PID 2688 wrote to memory of 2704 2688 spoolsv.exe 37 PID 2688 wrote to memory of 2704 2688 spoolsv.exe 37 PID 2704 wrote to memory of 2756 2704 svchost.exe 38 PID 2704 wrote to memory of 2756 2704 svchost.exe 38 PID 2704 wrote to memory of 2756 2704 svchost.exe 38 PID 2704 wrote to memory of 2756 2704 svchost.exe 38 PID 2784 wrote to memory of 2596 2784 explorer.exe 39 PID 2784 wrote to memory of 2596 2784 explorer.exe 39 PID 2784 wrote to memory of 2596 2784 explorer.exe 39 PID 2784 wrote to memory of 2596 2784 explorer.exe 39 PID 2780 wrote to memory of 2788 2780 Java Updater.exe 40 PID 2780 wrote to memory of 2788 2780 Java Updater.exe 40 PID 2780 wrote to memory of 2788 2780 Java Updater.exe 40 PID 2780 wrote to memory of 2788 2780 Java Updater.exe 40 PID 2704 wrote to memory of 2600 2704 svchost.exe 41 PID 2704 wrote to memory of 2600 2704 svchost.exe 41 PID 2704 wrote to memory of 2600 2704 svchost.exe 41 PID 2704 wrote to memory of 2600 2704 svchost.exe 41 PID 2704 wrote to memory of 2432 2704 svchost.exe 46 PID 2704 wrote to memory of 2432 2704 svchost.exe 46 PID 2704 wrote to memory of 2432 2704 svchost.exe 46 PID 2704 wrote to memory of 2432 2704 svchost.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe"C:\Users\Admin\AppData\Local\Temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\users\admin\appdata\local\temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exec:\users\admin\appdata\local\temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "c:\users\admin\appdata\local\temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe " /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:1976
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\users\admin\appdata\roaming\subdir\java updater.exe"c:\users\admin\appdata\roaming\subdir\java updater.exe "4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe4⤵PID:2044
-
-
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:52 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2600
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 21:53 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2432
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2596
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
637KB
MD5f1c3e7d4f2ea34ded96047cc76392340
SHA160683db56a96afe8ef1557c10fb861ae1081097b
SHA256e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758
SHA5129d8cf3b1bc0bb153a364618f0e1038a87549ce9d3c89ae4fd65c24737cb1a07f31a8618fdbb7d66ef9f2e410e3616593f7ba2e2ec4fa1325b8f86147956d4e47
-
Filesize
135KB
MD53c5f85db0f641f2dc5d04c3b32108bef
SHA1380e367ee4804ad3db90e978e02e623964fb9310
SHA2564c8cb14b16d689c0c63c9533360c2de96d711d48b96c8448a7f55e5c035833da
SHA512cd88434a7ed9a3c36208f64e604f2f9e082ef9f54a2409b7a6bfa422d81c5396dad9c2527187b86d282802cc9ea880a4810862a041b773936e208b3d38bd6547
-
Filesize
135KB
MD51da395d37e7dd10adb656cb9e7d04a18
SHA198798831f8ba6ce8bc828e7763a338d1b420ee7b
SHA25688d4c30796ca2930da72d706969da545632cf2d85b2a663ee5ec0a0c9e2c1b54
SHA512f9c9c6e94bb41123ea2f3306463cafcc3152df7df0d9f04767784f4defabeeec4419def661b43f47cc3b6073e7d771e418078b231ae8003a99b387c546a883d9
-
Filesize
135KB
MD52faa84e1d9fcf969ff84d2660a1b53d7
SHA120e09b795a3b0abce0fce13e310c0d887bf7d141
SHA2567234de49d20bc5de3a9e97b79172fc5451712d0ec3ede91b4bd14d5cc936af87
SHA5121e01a9a95cbc93f69e7e093bf103051398a533caa5f83b1d87aaf86dbd0f1b550d078d2a221cd34e08c73ea46761aefbf98bab4ed2c2abf5f927dc0628eb77ed
-
\Users\Admin\AppData\Local\Temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe
Filesize502KB
MD51441905fc4082ee6055ea39f5875a6c5
SHA178f91f9f9ffe47e5f47e9844bd026d150146744e
SHA2561b05c4d74e0d17a983f9b91aa706a7a60f37ec270b7e2433d6798afa1c7be766
SHA51270e9ab0e49b4bf89505f16c499538daebc1e8da72488cd63ff60747d15a1d486ba38802b0622c9240d10ff68ab32e6bb36a0b809e7cd0e2ec4945d023ce86c5c
-
Filesize
135KB
MD5f83b8daf191078e84dbb7c0ed3d3f5a5
SHA1c858058b1d91a6d66eb20b06243a318a55bfbcae
SHA256039f801da9b46677322dfcf769ea21129c66979affa1a1783bbf1a4c0f372966
SHA512a0ab72554c9ef32dd1f3d4ff6a68733befb1ba31c52f408f34d3eef5d33919b0c13d50518dee09645fa642748c4eff1f3f5225351ec50be9f1099076f0be20f7