Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
159s -
max time network
161s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
07/01/2025, 15:52
General
-
Target
MCLauncherAlpha.exe
-
Size
25.2MB
-
MD5
f7bd3d4ec4df43f3746dc4ee40182583
-
SHA1
5bed51610fc47545a6d0b6a480c5fa79c93c41da
-
SHA256
befad7b4dd58e164807088abae4876eec9cf413f997979b44d54522117a326de
-
SHA512
d5a32bf7eff40e1d0e4c73c22afea7822fb34fb748962ce131788b345c741814ade9b2e7bf75b794bb63d0f6b415296e2f12a82ae0e7b594f9f1bedb4bc33026
-
SSDEEP
12288:oxH78xBtJoZtL+EP8LhB0xfEY3Ymfh8Itps0Jd:oGB1I89B0xfEY3Ymfh8Itps0r
Malware Config
Extracted
xworm
who-disaster.gl.at.ply.gg:1754
-
Install_directory
%AppData%
-
install_file
nursultan.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/224-154-0x0000000001060000-0x000000000106E000-memory.dmp disable_win_def -
Detect Umbral payload 3 IoCs
resource yara_rule behavioral1/files/0x0028000000046117-18.dat family_umbral behavioral1/memory/4552-29-0x0000022F36EC0000-0x0000022F36F00000-memory.dmp family_umbral behavioral1/memory/4668-30-0x0000000000400000-0x0000000001D44000-memory.dmp family_umbral -
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/224-31-0x00000000006A0000-0x00000000006D4000-memory.dmp family_xworm -
Umbral family
-
Xworm family
-
pid Process 2008 powershell.exe 1116 powershell.exe 3452 powershell.exe 4984 powershell.exe 4252 powershell.exe 4196 powershell.exe 3056 powershell.exe 3388 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbral.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation MCLauncherAlpha.exe Key value queried \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation MClauncherBETA.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nursultan.lnk MClauncherBETA.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nursultan.lnk MClauncherBETA.exe -
Executes dropped EXE 2 IoCs
pid Process 224 MClauncherBETA.exe 4552 Umbral.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nursultan = "C:\\Users\\Admin\\AppData\\Roaming\\nursultan.exe" MClauncherBETA.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 25 discord.com 26 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MCLauncherAlpha.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2468 cmd.exe 4812 PING.EXE -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 988 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4812 PING.EXE -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 4812 wmic.exe 4812 wmic.exe 4812 wmic.exe 4812 wmic.exe 4552 Umbral.exe 4984 powershell.exe 4984 powershell.exe 4252 powershell.exe 4252 powershell.exe 2008 powershell.exe 2008 powershell.exe 4196 powershell.exe 4196 powershell.exe 1116 powershell.exe 1116 powershell.exe 3056 powershell.exe 3056 powershell.exe 1524 powershell.exe 1524 powershell.exe 3388 powershell.exe 3388 powershell.exe 2868 wmic.exe 2868 wmic.exe 2868 wmic.exe 2868 wmic.exe 1100 wmic.exe 1100 wmic.exe 1100 wmic.exe 1100 wmic.exe 2492 wmic.exe 2492 wmic.exe 2492 wmic.exe 2492 wmic.exe 3452 powershell.exe 3452 powershell.exe 988 wmic.exe 988 wmic.exe 988 wmic.exe 988 wmic.exe 224 MClauncherBETA.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 224 MClauncherBETA.exe Token: SeDebugPrivilege 4552 Umbral.exe Token: SeIncreaseQuotaPrivilege 4812 wmic.exe Token: SeSecurityPrivilege 4812 wmic.exe Token: SeTakeOwnershipPrivilege 4812 wmic.exe Token: SeLoadDriverPrivilege 4812 wmic.exe Token: SeSystemProfilePrivilege 4812 wmic.exe Token: SeSystemtimePrivilege 4812 wmic.exe Token: SeProfSingleProcessPrivilege 4812 wmic.exe Token: SeIncBasePriorityPrivilege 4812 wmic.exe Token: SeCreatePagefilePrivilege 4812 wmic.exe Token: SeBackupPrivilege 4812 wmic.exe Token: SeRestorePrivilege 4812 wmic.exe Token: SeShutdownPrivilege 4812 wmic.exe Token: SeDebugPrivilege 4812 wmic.exe Token: SeSystemEnvironmentPrivilege 4812 wmic.exe Token: SeRemoteShutdownPrivilege 4812 wmic.exe Token: SeUndockPrivilege 4812 wmic.exe Token: SeManageVolumePrivilege 4812 wmic.exe Token: 33 4812 wmic.exe Token: 34 4812 wmic.exe Token: 35 4812 wmic.exe Token: 36 4812 wmic.exe Token: SeIncreaseQuotaPrivilege 4812 wmic.exe Token: SeSecurityPrivilege 4812 wmic.exe Token: SeTakeOwnershipPrivilege 4812 wmic.exe Token: SeLoadDriverPrivilege 4812 wmic.exe Token: SeSystemProfilePrivilege 4812 wmic.exe Token: SeSystemtimePrivilege 4812 wmic.exe Token: SeProfSingleProcessPrivilege 4812 wmic.exe Token: SeIncBasePriorityPrivilege 4812 wmic.exe Token: SeCreatePagefilePrivilege 4812 wmic.exe Token: SeBackupPrivilege 4812 wmic.exe Token: SeRestorePrivilege 4812 wmic.exe Token: SeShutdownPrivilege 4812 wmic.exe Token: SeDebugPrivilege 4812 wmic.exe Token: SeSystemEnvironmentPrivilege 4812 wmic.exe Token: SeRemoteShutdownPrivilege 4812 wmic.exe Token: SeUndockPrivilege 4812 wmic.exe Token: SeManageVolumePrivilege 4812 wmic.exe Token: 33 4812 wmic.exe Token: 34 4812 wmic.exe Token: 35 4812 wmic.exe Token: 36 4812 wmic.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeDebugPrivilege 4252 powershell.exe Token: SeIncreaseQuotaPrivilege 4984 powershell.exe Token: SeSecurityPrivilege 4984 powershell.exe Token: SeTakeOwnershipPrivilege 4984 powershell.exe Token: SeLoadDriverPrivilege 4984 powershell.exe Token: SeSystemProfilePrivilege 4984 powershell.exe Token: SeSystemtimePrivilege 4984 powershell.exe Token: SeProfSingleProcessPrivilege 4984 powershell.exe Token: SeIncBasePriorityPrivilege 4984 powershell.exe Token: SeCreatePagefilePrivilege 4984 powershell.exe Token: SeBackupPrivilege 4984 powershell.exe Token: SeRestorePrivilege 4984 powershell.exe Token: SeShutdownPrivilege 4984 powershell.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeSystemEnvironmentPrivilege 4984 powershell.exe Token: SeRemoteShutdownPrivilege 4984 powershell.exe Token: SeUndockPrivilege 4984 powershell.exe Token: SeManageVolumePrivilege 4984 powershell.exe Token: 33 4984 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 224 MClauncherBETA.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4668 wrote to memory of 224 4668 MCLauncherAlpha.exe 83 PID 4668 wrote to memory of 224 4668 MCLauncherAlpha.exe 83 PID 4668 wrote to memory of 4552 4668 MCLauncherAlpha.exe 84 PID 4668 wrote to memory of 4552 4668 MCLauncherAlpha.exe 84 PID 4552 wrote to memory of 4812 4552 Umbral.exe 85 PID 4552 wrote to memory of 4812 4552 Umbral.exe 85 PID 4552 wrote to memory of 3704 4552 Umbral.exe 88 PID 4552 wrote to memory of 3704 4552 Umbral.exe 88 PID 4552 wrote to memory of 4984 4552 Umbral.exe 90 PID 4552 wrote to memory of 4984 4552 Umbral.exe 90 PID 224 wrote to memory of 4252 224 MClauncherBETA.exe 94 PID 224 wrote to memory of 4252 224 MClauncherBETA.exe 94 PID 4552 wrote to memory of 2008 4552 Umbral.exe 98 PID 4552 wrote to memory of 2008 4552 Umbral.exe 98 PID 224 wrote to memory of 4196 224 MClauncherBETA.exe 100 PID 224 wrote to memory of 4196 224 MClauncherBETA.exe 100 PID 4552 wrote to memory of 1116 4552 Umbral.exe 102 PID 4552 wrote to memory of 1116 4552 Umbral.exe 102 PID 224 wrote to memory of 3056 224 MClauncherBETA.exe 104 PID 224 wrote to memory of 3056 224 MClauncherBETA.exe 104 PID 4552 wrote to memory of 1524 4552 Umbral.exe 106 PID 4552 wrote to memory of 1524 4552 Umbral.exe 106 PID 224 wrote to memory of 3388 224 MClauncherBETA.exe 108 PID 224 wrote to memory of 3388 224 MClauncherBETA.exe 108 PID 4552 wrote to memory of 2868 4552 Umbral.exe 110 PID 4552 wrote to memory of 2868 4552 Umbral.exe 110 PID 4552 wrote to memory of 1100 4552 Umbral.exe 112 PID 4552 wrote to memory of 1100 4552 Umbral.exe 112 PID 4552 wrote to memory of 2492 4552 Umbral.exe 114 PID 4552 wrote to memory of 2492 4552 Umbral.exe 114 PID 4552 wrote to memory of 3452 4552 Umbral.exe 117 PID 4552 wrote to memory of 3452 4552 Umbral.exe 117 PID 4552 wrote to memory of 988 4552 Umbral.exe 119 PID 4552 wrote to memory of 988 4552 Umbral.exe 119 PID 4552 wrote to memory of 2468 4552 Umbral.exe 121 PID 4552 wrote to memory of 2468 4552 Umbral.exe 121 PID 2468 wrote to memory of 4812 2468 cmd.exe 123 PID 2468 wrote to memory of 4812 2468 cmd.exe 123 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3704 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MCLauncherAlpha.exe"C:\Users\Admin\AppData\Local\Temp\MCLauncherAlpha.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\MClauncherBETA.exe"C:\Users\Admin\AppData\Local\Temp\MClauncherBETA.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MClauncherBETA.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MClauncherBETA.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\nursultan.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'nursultan.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3388
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"3⤵
- Views/modifies file attributes
PID:3704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1100
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3452
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious behavior: EnumeratesProcesses
PID:988
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\system32\PING.EXEping localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4812
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD5dd898d1b5765d2c6af25566dac42d5e3
SHA16bc216917284103ef14d7335b60e5c481732c381
SHA25667ef10f50dc2bb3bb0cb1e655275e97ab3c25aeed9a0860923a1965b2caf7a75
SHA512467b3900a18fd494aa64167960614e8b324f11d7d1702e7751c8d8a190538b80ca30f602f92a813e8e3aa18f643055416492ef58886c9e30e274a12d1134428e
-
Filesize
1KB
MD58e1fdd1b66d2fee9f6a052524d4ddca5
SHA10a9d0994559d1be2eecd8b0d6960540ca627bdb6
SHA2564cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13
SHA5125a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3
-
Filesize
1KB
MD51084e4337b8976d5176147c43669c932
SHA1cd424c0dd9058ea91d0dbecf2c9c6648949b4ffb
SHA2560cccb48bc934e92e50dd2a14086ae5524e4b47e84d7ab966b24a307dcb4f6044
SHA5122caa2b93e0c24510a5ce05855bf74027d75ba2d92bd80e256d5b5e5408fff9076e38574b72ae4c4f86c1d7d34bba5249dea4d665dac4477c1a9b5912bad8b1ef
-
Filesize
1KB
MD52931aea7871334d4cddec682210d648c
SHA12496cfc5d74a33f4dd1c361b5ae4fb74ef0e4eea
SHA256a033a94d0edba753e8c9b10a6a1dbf04969ff6d16e72e7aadf66e830c469e54d
SHA512bd82837e9bfc3b905c50a5179c82866e1b9a9db9ecc35ea120769b89335cb7a58722f52aff284326ca145565b64019fac221896ea4bf9e4e8a761a69c515df57
-
Filesize
1KB
MD5c67441dfa09f61bca500bb43407c56b8
SHA15a56cf7cbeb48c109e2128c31b681fac3959157b
SHA25663082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33
SHA512325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8
-
Filesize
948B
MD51297ab1638f5754968fea0e770ae6b77
SHA131d494d49591b10227e9e20441102f15e089c0eb
SHA2569ccaa5d197966ed0d707103be05ab3e5b48f9992545d743d5bc8fa2a00d905f8
SHA512105ad4ced4851c6b78e5a8038b1c5584ecea0eb32087994f7fefde86207961739b5d6ed64f64d9e5298b1c149069c6cb3b7658e56bb329ed79f5ff6a25c18f3f
-
Filesize
25.0MB
MD560cb9c4ee3d76178e3d3ed6a976b2b07
SHA1c3fae3819b20ae35bbf6e553b36abc740c53878d
SHA256faae0bb980abf5dc0bb4b2137aa94563cb4a7cbd4baeba321811879a086e53a1
SHA5123e3238fe61efdfc4fc2d990b1ccd4ddd05aec72ec9c40032e370b6dbe9e238a5ba352de09a257762e02f75b195ed6e54f7121f9c95a85a2799092ceb22812b21
-
Filesize
232KB
MD5274979bece73b8dcfcec48e29c3faac6
SHA1e132c92ef72fb91dc781723f1228a6e0917649cd
SHA256ffc855e7ccf7a3d7982e18c62ecbf7a2daf01ed769c272b90b039b3c934d91cc
SHA512562b29a9797154d7bcebe87babf79f15dbb345f69cdb165efca4ee9cf370457c37df8d30e85258546bbbac35ce5cf26b3d47326867764ccc0857ab75c1beed53
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82