Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 05:35
Static task
static1
Behavioral task
behavioral1
Sample
f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe
Resource
win10v2004-20241007-en
General
-
Target
f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe
-
Size
2.0MB
-
MD5
ebd4bf9d027377c302d811589f88fca0
-
SHA1
73cb7b4678b0386f696c6bc21e87495aba46b433
-
SHA256
f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96
-
SHA512
4ea20a9302c887f55795ac237a698bfe53036de8543d1c1043057201677d0c88a55ad6458402caad96056793f1fcafc464fce4c5e00fc34b7205f4ba642d56a0
-
SSDEEP
49152:fmTWr53HxurntpSJU2mN2xl42d91cKSd5W6l/p7AFWVBpG947fVr0YfwCCkB1mpt:fmTWr53HxurntpSJU2mN2xu2d91cKSdo
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 9 IoCs
resource yara_rule behavioral1/memory/2884-54-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral1/memory/2884-67-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral1/memory/2884-70-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral1/memory/2884-72-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral1/memory/2884-75-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral1/memory/2884-77-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral1/memory/2884-79-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral1/memory/2884-84-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades behavioral1/memory/2884-89-0x0000000000400000-0x000000000045C000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\WindowsDef.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\IDungProV5.exe = "C:\\Users\\Admin\\AppData\\Roaming\\IDungProV5.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 2860 WindowsDef.exe 2884 WindowsDef.exe 2876 WindowsDef.exe -
Loads dropped DLL 7 IoCs
pid Process 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 2860 WindowsDef.exe 2860 WindowsDef.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDef = "C:\\Users\\Admin\\AppData\\Roaming\\Directory\\WindowsDef.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2860 set thread context of 2884 2860 WindowsDef.exe 34 PID 2860 set thread context of 2876 2860 WindowsDef.exe 35 -
resource yara_rule behavioral1/memory/2876-64-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2876-60-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2876-63-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2884-54-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2884-51-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2884-48-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2884-67-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2876-69-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2884-70-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2884-72-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2884-75-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2884-77-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2884-79-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2884-84-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral1/memory/2884-89-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsDef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsDef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowsDef.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2576 reg.exe 1640 reg.exe 2348 reg.exe 2656 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 2884 WindowsDef.exe Token: SeCreateTokenPrivilege 2884 WindowsDef.exe Token: SeAssignPrimaryTokenPrivilege 2884 WindowsDef.exe Token: SeLockMemoryPrivilege 2884 WindowsDef.exe Token: SeIncreaseQuotaPrivilege 2884 WindowsDef.exe Token: SeMachineAccountPrivilege 2884 WindowsDef.exe Token: SeTcbPrivilege 2884 WindowsDef.exe Token: SeSecurityPrivilege 2884 WindowsDef.exe Token: SeTakeOwnershipPrivilege 2884 WindowsDef.exe Token: SeLoadDriverPrivilege 2884 WindowsDef.exe Token: SeSystemProfilePrivilege 2884 WindowsDef.exe Token: SeSystemtimePrivilege 2884 WindowsDef.exe Token: SeProfSingleProcessPrivilege 2884 WindowsDef.exe Token: SeIncBasePriorityPrivilege 2884 WindowsDef.exe Token: SeCreatePagefilePrivilege 2884 WindowsDef.exe Token: SeCreatePermanentPrivilege 2884 WindowsDef.exe Token: SeBackupPrivilege 2884 WindowsDef.exe Token: SeRestorePrivilege 2884 WindowsDef.exe Token: SeShutdownPrivilege 2884 WindowsDef.exe Token: SeDebugPrivilege 2884 WindowsDef.exe Token: SeAuditPrivilege 2884 WindowsDef.exe Token: SeSystemEnvironmentPrivilege 2884 WindowsDef.exe Token: SeChangeNotifyPrivilege 2884 WindowsDef.exe Token: SeRemoteShutdownPrivilege 2884 WindowsDef.exe Token: SeUndockPrivilege 2884 WindowsDef.exe Token: SeSyncAgentPrivilege 2884 WindowsDef.exe Token: SeEnableDelegationPrivilege 2884 WindowsDef.exe Token: SeManageVolumePrivilege 2884 WindowsDef.exe Token: SeImpersonatePrivilege 2884 WindowsDef.exe Token: SeCreateGlobalPrivilege 2884 WindowsDef.exe Token: 31 2884 WindowsDef.exe Token: 32 2884 WindowsDef.exe Token: 33 2884 WindowsDef.exe Token: 34 2884 WindowsDef.exe Token: 35 2884 WindowsDef.exe Token: SeDebugPrivilege 2876 WindowsDef.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 2860 WindowsDef.exe 2884 WindowsDef.exe 2884 WindowsDef.exe 2876 WindowsDef.exe 2884 WindowsDef.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2400 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 30 PID 2584 wrote to memory of 2400 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 30 PID 2584 wrote to memory of 2400 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 30 PID 2584 wrote to memory of 2400 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 30 PID 2400 wrote to memory of 2760 2400 cmd.exe 32 PID 2400 wrote to memory of 2760 2400 cmd.exe 32 PID 2400 wrote to memory of 2760 2400 cmd.exe 32 PID 2400 wrote to memory of 2760 2400 cmd.exe 32 PID 2584 wrote to memory of 2860 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 33 PID 2584 wrote to memory of 2860 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 33 PID 2584 wrote to memory of 2860 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 33 PID 2584 wrote to memory of 2860 2584 f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe 33 PID 2860 wrote to memory of 2884 2860 WindowsDef.exe 34 PID 2860 wrote to memory of 2884 2860 WindowsDef.exe 34 PID 2860 wrote to memory of 2884 2860 WindowsDef.exe 34 PID 2860 wrote to memory of 2884 2860 WindowsDef.exe 34 PID 2860 wrote to memory of 2884 2860 WindowsDef.exe 34 PID 2860 wrote to memory of 2884 2860 WindowsDef.exe 34 PID 2860 wrote to memory of 2884 2860 WindowsDef.exe 34 PID 2860 wrote to memory of 2884 2860 WindowsDef.exe 34 PID 2860 wrote to memory of 2884 2860 WindowsDef.exe 34 PID 2860 wrote to memory of 2876 2860 WindowsDef.exe 35 PID 2860 wrote to memory of 2876 2860 WindowsDef.exe 35 PID 2860 wrote to memory of 2876 2860 WindowsDef.exe 35 PID 2860 wrote to memory of 2876 2860 WindowsDef.exe 35 PID 2884 wrote to memory of 2780 2884 WindowsDef.exe 36 PID 2884 wrote to memory of 2780 2884 WindowsDef.exe 36 PID 2884 wrote to memory of 2780 2884 WindowsDef.exe 36 PID 2884 wrote to memory of 2780 2884 WindowsDef.exe 36 PID 2884 wrote to memory of 2788 2884 WindowsDef.exe 37 PID 2884 wrote to memory of 2788 2884 WindowsDef.exe 37 PID 2884 wrote to memory of 2788 2884 WindowsDef.exe 37 PID 2884 wrote to memory of 2788 2884 WindowsDef.exe 37 PID 2884 wrote to memory of 1900 2884 WindowsDef.exe 38 PID 2884 wrote to memory of 1900 2884 WindowsDef.exe 38 PID 2884 wrote to memory of 1900 2884 WindowsDef.exe 38 PID 2884 wrote to memory of 1900 2884 WindowsDef.exe 38 PID 2884 wrote to memory of 2836 2884 WindowsDef.exe 40 PID 2884 wrote to memory of 2836 2884 WindowsDef.exe 40 PID 2884 wrote to memory of 2836 2884 WindowsDef.exe 40 PID 2884 wrote to memory of 2836 2884 WindowsDef.exe 40 PID 2780 wrote to memory of 2656 2780 cmd.exe 44 PID 2780 wrote to memory of 2656 2780 cmd.exe 44 PID 2780 wrote to memory of 2656 2780 cmd.exe 44 PID 2780 wrote to memory of 2656 2780 cmd.exe 44 PID 2860 wrote to memory of 2876 2860 WindowsDef.exe 35 PID 2860 wrote to memory of 2876 2860 WindowsDef.exe 35 PID 2860 wrote to memory of 2876 2860 WindowsDef.exe 35 PID 2860 wrote to memory of 2876 2860 WindowsDef.exe 35 PID 2860 wrote to memory of 2876 2860 WindowsDef.exe 35 PID 1900 wrote to memory of 2348 1900 cmd.exe 45 PID 1900 wrote to memory of 2348 1900 cmd.exe 45 PID 1900 wrote to memory of 2348 1900 cmd.exe 45 PID 1900 wrote to memory of 2348 1900 cmd.exe 45 PID 2788 wrote to memory of 1640 2788 cmd.exe 46 PID 2788 wrote to memory of 1640 2788 cmd.exe 46 PID 2788 wrote to memory of 1640 2788 cmd.exe 46 PID 2788 wrote to memory of 1640 2788 cmd.exe 46 PID 2836 wrote to memory of 2576 2836 cmd.exe 47 PID 2836 wrote to memory of 2576 2836 cmd.exe 47 PID 2836 wrote to memory of 2576 2836 cmd.exe 47 PID 2836 wrote to memory of 2576 2836 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe"C:\Users\Admin\AppData\Local\Temp\f5356d6c796405774d19fa81d405c30e8370170b58b152e842b559790a54ad96N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PycKq.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDef" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2760
-
-
-
C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe"C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exeC:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1640
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2348
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\IDungProV5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDungProV5.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\IDungProV5.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDungProV5.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2576
-
-
-
-
C:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exeC:\Users\Admin\AppData\Roaming\Directory\WindowsDef.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2876
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD512506b1a3ef0e7dcef2babaaecfb81e8
SHA19564f2c31b336dab739e74cceedb5e4d07c2a563
SHA2563922b88903f6e7a4cd1e9cee92f9a0de6f0cd28a4a6db73114e320fa7cbf8c8a
SHA512cbf0ade56c9961edcf8018f8e1654446e17c863e8df98a78b781b4b91ca87a9ab3b1532376f245c678f6f9e00771d74dba99e0fee237ebf3f4a69473d57f0dec
-
Filesize
2.0MB
MD57e68041a11f22ed557b1a05033f2428d
SHA159f5d04867d237334a3442834ac07551b570ad89
SHA25625164e236ef5b56d1059ad5df567f1ca9f7f2c3d0970f3f82757814ac625f42d
SHA51213056540cdea683b87601cbaa3eee8e44fa4b8b047d5f14aa8817e9d3445537a0af835507d394a8f47ccd7feb75f29e2a0f2845ee76396843770952d3cb48214