Analysis
-
max time kernel
102s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
-
submitted
11/04/2025, 05:27 UTC
General
-
Target
2025-04-11_ef14d6ddb61187f3e21d84634d8a1be5_babuk_destroyer_elex.exe
-
Size
86KB
-
MD5
ef14d6ddb61187f3e21d84634d8a1be5
-
SHA1
9ba13927d59b16b15ecc8ad8a697bc62347459b3
-
SHA256
b072a614b15541b1fed03986cf88b2fa369169f11dededf2ac41f9ce422cae0e
-
SHA512
6c615c61673076c001b7ba493ac9fddc3f5eb53a9282bddffdd129064400d2e74b9c613d19cfdd95535ed45283e81acc7fdf9c19b78026191ab03bdc798a6fab
-
SSDEEP
1536:jvHJ5hiBMAMnL+by+PGuMsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2es4C:jvHJ/iBMAqeyXBsrQLOJgY8Zp8LHD4Xl
Score
10/10
Malware Config
Extracted
Path
C:\PerfLogs\How To Restore Your Files.txt
Ransom Note
############## [ babuk ransomware greetings you ] ##############
Introduction
----------------------------------------------
Congratulations! If you see this note, your company've been randomly chosen for security audit and your company haven't passed it.
Unfortunately your servers are encrypted, backups are encrtypted too or deleted.
Our enctyption algorythms are strong and it's impossible to decrypt your stuff without our help.
Only one method to restore all your network and systems is - to buy our universal decryption software.
Follow simple steps that discribed down below and your data will be saved.
In case you ignore this situation, the consequences could me much serious, than you can imagine.
Guarantees
----------------------------------------------
The hack and system encryption wasn't compromised by your competitors or any other 3rd party, this is just and only our initiative and only thing we interested is profit.
Accurding the previous sentence We are very much value of our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data. We guarantee full support and help through the all decryption process.
As the proof of our abilities and honesty, we can decrypt few small files for free, check the link provided and ask any questions.
Data leakage
----------------------------------------------
We have copied some quantity of data from your servers.
Check those proofs and estimate the seriousness of consequences which can occur in case you ignore us: http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/da83db34f2e0c077f7b064e6556f127c0a91d7ae21f3855f0e7279ce14d5f406/
This link is private and only you can see it.
Use tor browser to open link.
Ignoring the interaction with us brings you the publishing your data in our public blog http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/
Contact
----------------------------------------------
1) Download tor browser: https://www.torproject.org/download/
2) Open it
3) Follow this link in tor browser: http://vq3zf757tzpwhs7bulnr43d2rfg5fkvvfkhee2zhhzievuxrbnarmgqd.onion/3fbf8f220dae00bb6bb8539b9c6c86c4bf5c58ccf651542e3363dd131239edd6
* 6 simple steps do minimize harm from ransomware.
-----------------------------------------------------------------------------------------------------------------
Thousands of companies around the world are struggling on ransomware these days, and the most of companies are making the same mistakes again and again. Let’s figure out how to minimize harm and do not be a dumb and pathetic donkey which will make fun for journalists and so on..
1. If you see small fella malicious .exe file never load it to virustotal.com or any other virus researching website.
Otherwise the info about the hack is not a secret anymore. The fact that your company is under ransomware attack is already known by filthy predators data security agents who will post in their pity twitters the fresh known news “OMG ANOTHER RANSOMWARE NOW IT’S “Your company name LLC!!!!! We are all gonna die aaaaaa halp”
2. No any public announcements about the hack or data leakage. And do not applicate to law enforcement.
If you commit this actions, more serious consequences can occur and you pay much more than a ransom amount. Law structures like GDPR in this case can oblige you to pay huge fine.
3. As soon as you see your network compromised, follow the link inside any note and follow instructions.
4. Calm your employees.
Explain them that this is a drill. And you test your network security systems.
5. If you decide to hire the data recovery company, obligate them to do not inform anyone and any third party about details of the attack.
We strongly do not recommend to cooperate with data recovery company, because they do absolutely nothing that you can do by yourself and take money for it. all communications with hackers could be conducted by your it department indipendently without any extra payments.
6. Do not try to decrypt your data via 3rd party software.
Most of ransomware use strong encryption algorthm and you can harm your files by using 3rd party decryption software.
URLs
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/da83db34f2e0c077f7b064e6556f127c0a91d7ae21f3855f0e7279ce14d5f406/
http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/
http://vq3zf757tzpwhs7bulnr43d2rfg5fkvvfkhee2zhhzievuxrbnarmgqd.onion/3fbf8f220dae00bb6bb8539b9c6c86c4bf5c58ccf651542e3363dd131239edd6
Signatures
-
Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
-
Babuk family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (191) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-11_ef14d6ddb61187f3e21d84634d8a1be5_babuk_destroyer_elex.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-11_ef14d6ddb61187f3e21d84634d8a1be5_babuk_destroyer_elex.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
-
DNSg.bing.comRemote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10 -
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vCDEjisXLDoOGkh0KBEIczVUCUyOkFWbJDWgySrFdouAGVlEVf0CAVzkwJ5LuhsxrvFWSD_svpQ_MuD6-b5xyuMpbv1TSdkx807dbAmXg668JXMyqOSVXmWHaXNzM7zjKHNXIdkw3P_-7WdvLw9g1O1upy4aWz9JLsY9lD0JYH4Q5sJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmZyZWUtb2ZmaWNlLW9ubGluZS1mb3ItdGhlLXdlYiUzZm9jaWQlM2RjbW01enF4NmxxMA%26rlid%3Dac4e8f1b84851648220ee8e3ad63f87d&TIME=20250410T202853Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433&muid=B300B4313D5BFF4AB00C11B10EFBCA8FRemote address:150.171.27.10:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vCDEjisXLDoOGkh0KBEIczVUCUyOkFWbJDWgySrFdouAGVlEVf0CAVzkwJ5LuhsxrvFWSD_svpQ_MuD6-b5xyuMpbv1TSdkx807dbAmXg668JXMyqOSVXmWHaXNzM7zjKHNXIdkw3P_-7WdvLw9g1O1upy4aWz9JLsY9lD0JYH4Q5sJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmZyZWUtb2ZmaWNlLW9ubGluZS1mb3ItdGhlLXdlYiUzZm9jaWQlM2RjbW01enF4NmxxMA%26rlid%3Dac4e8f1b84851648220ee8e3ad63f87d&TIME=20250410T202853Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433&muid=B300B4313D5BFF4AB00C11B10EFBCA8F HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=07A175A1C94E6B231614606AC8AE6AC8; domain=.bing.com; expires=Wed, 06-May-2026 05:27:29 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 10D748D66939447FB3F21E8CFE4B6180 Ref B: LON04EDGE1020 Ref C: 2025-04-11T05:27:29Z
date: Fri, 11 Apr 2025 05:27:28 GMT
-
GEThttps://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vCDEjisXLDoOGkh0KBEIczVUCUyOkFWbJDWgySrFdouAGVlEVf0CAVzkwJ5LuhsxrvFWSD_svpQ_MuD6-b5xyuMpbv1TSdkx807dbAmXg668JXMyqOSVXmWHaXNzM7zjKHNXIdkw3P_-7WdvLw9g1O1upy4aWz9JLsY9lD0JYH4Q5sJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmZyZWUtb2ZmaWNlLW9ubGluZS1mb3ItdGhlLXdlYiUzZm9jaWQlM2RjbW01enF4NmxxMA%26rlid%3Dac4e8f1b84851648220ee8e3ad63f87d&TIME=20250410T202853Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433&muid=B300B4313D5BFF4AB00C11B10EFBCA8FRemote address:150.171.27.10:443RequestGET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vCDEjisXLDoOGkh0KBEIczVUCUyOkFWbJDWgySrFdouAGVlEVf0CAVzkwJ5LuhsxrvFWSD_svpQ_MuD6-b5xyuMpbv1TSdkx807dbAmXg668JXMyqOSVXmWHaXNzM7zjKHNXIdkw3P_-7WdvLw9g1O1upy4aWz9JLsY9lD0JYH4Q5sJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmZyZWUtb2ZmaWNlLW9ubGluZS1mb3ItdGhlLXdlYiUzZm9jaWQlM2RjbW01enF4NmxxMA%26rlid%3Dac4e8f1b84851648220ee8e3ad63f87d&TIME=20250410T202853Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433&muid=B300B4313D5BFF4AB00C11B10EFBCA8F HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=07A175A1C94E6B231614606AC8AE6AC8; _EDGE_S=SID=137DA8266325681F22ABBDED629E690E
ResponseHTTP/2.0 204
cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=YTj7injpTuMZXwUlRFcH-yNDlnDYahpkWwRkAUz3wws; domain=.bing.com; expires=Wed, 06-May-2026 05:27:29 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2BAD57BEE4534AE183B3FCC2BC1EFFF2 Ref B: LON04EDGE1020 Ref C: 2025-04-11T05:27:29Z
date: Fri, 11 Apr 2025 05:27:28 GMT
-
GEThttps://www.bing.com/aes/c.gif?RG=a4ef1a21696f4f29825f287da49246b0&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250410T202853Z&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433Remote address:95.101.143.177:443RequestGET /aes/c.gif?RG=a4ef1a21696f4f29825f287da49246b0&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250410T202853Z&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=07A175A1C94E6B231614606AC8AE6AC8
ResponseHTTP/2.0 200
cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 1AE9BD066F9F4F45BA807285EF346DF8 Ref B: LON04EDGE0817 Ref C: 2025-04-11T05:27:29Z
content-length: 0
date: Fri, 11 Apr 2025 05:27:29 GMT
set-cookie: _EDGE_S=SID=137DA8266325681F22ABBDED629E690E; path=/; httponly; domain=bing.com
set-cookie: MUIDB=07A175A1C94E6B231614606AC8AE6AC8; path=/; httponly; expires=Wed, 06-May-2026 05:27:29 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.bc8f655f.1744349249.1c9e1e47
-
DNSc.pki.googRemote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.227
-
GEThttp://c.pki.goog/r/r1.crlRemote address:142.250.179.227:80RequestGET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 03 Apr 2025 14:18:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 304 Not Modified
Date: Fri, 11 Apr 2025 04:50:35 GMT
Expires: Fri, 11 Apr 2025 05:40:35 GMT
Age: 2274
Last-Modified: Thu, 03 Apr 2025 14:18:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding
-
150.171.27.10:443https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vCDEjisXLDoOGkh0KBEIczVUCUyOkFWbJDWgySrFdouAGVlEVf0CAVzkwJ5LuhsxrvFWSD_svpQ_MuD6-b5xyuMpbv1TSdkx807dbAmXg668JXMyqOSVXmWHaXNzM7zjKHNXIdkw3P_-7WdvLw9g1O1upy4aWz9JLsY9lD0JYH4Q5sJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmZyZWUtb2ZmaWNlLW9ubGluZS1mb3ItdGhlLXdlYiUzZm9jaWQlM2RjbW01enF4NmxxMA%26rlid%3Dac4e8f1b84851648220ee8e3ad63f87d&TIME=20250410T202853Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433&muid=B300B4313D5BFF4AB00C11B10EFBCA8Ftls, http2
HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vCDEjisXLDoOGkh0KBEIczVUCUyOkFWbJDWgySrFdouAGVlEVf0CAVzkwJ5LuhsxrvFWSD_svpQ_MuD6-b5xyuMpbv1TSdkx807dbAmXg668JXMyqOSVXmWHaXNzM7zjKHNXIdkw3P_-7WdvLw9g1O1upy4aWz9JLsY9lD0JYH4Q5sJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmZyZWUtb2ZmaWNlLW9ubGluZS1mb3ItdGhlLXdlYiUzZm9jaWQlM2RjbW01enF4NmxxMA%26rlid%3Dac4e8f1b84851648220ee8e3ad63f87d&TIME=20250410T202853Z&CID=531098720&EID=531098720&tids=15000&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433&muid=B300B4313D5BFF4AB00C11B10EFBCA8FHTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8vCDEjisXLDoOGkh0KBEIczVUCUyOkFWbJDWgySrFdouAGVlEVf0CAVzkwJ5LuhsxrvFWSD_svpQ_MuD6-b5xyuMpbv1TSdkx807dbAmXg668JXMyqOSVXmWHaXNzM7zjKHNXIdkw3P_-7WdvLw9g1O1upy4aWz9JLsY9lD0JYH4Q5sJA%26u%3DbWljcm9zb2Z0LWVkZ2UlM2FodHRwcyUzYSUyZiUyZnd3dy5taWNyb3NvZnQuY29tJTJmbWljcm9zb2Z0LTM2NSUyZmZyZWUtb2ZmaWNlLW9ubGluZS1mb3ItdGhlLXdlYiUzZm9jaWQlM2RjbW01enF4NmxxMA%26rlid%3Dac4e8f1b84851648220ee8e3ad63f87d&TIME=20250410T202853Z&CID=531098720&EID=&tids=15000&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433&muid=B300B4313D5BFF4AB00C11B10EFBCA8FHTTP Response
204 -
95.101.143.177:443https://www.bing.com/aes/c.gif?RG=a4ef1a21696f4f29825f287da49246b0&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250410T202853Z&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433tls, http2
HTTP Request
GET https://www.bing.com/aes/c.gif?RG=a4ef1a21696f4f29825f287da49246b0&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20250410T202853Z&adUnitId=11730597&localId=w:B300B431-3D5B-FF4A-B00C-11B10EFBCA8F&deviceId=6896214310665433HTTP Response
200 -
142.250.179.227:80http://c.pki.goog/r/r1.crlhttp
HTTP Request
GET http://c.pki.goog/r/r1.crlHTTP Response
304
-
8.8.8.8:53g.bing.comdns
DNS Request
g.bing.com
DNS Response
150.171.27.10150.171.28.10
-
8.8.8.8:53c.pki.googdns
DNS Request
c.pki.goog
DNS Response
142.250.179.227
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5165cb7536738d30a7ab5d8740f0d5c82
SHA1e7c713f922758e9d5c23ea6ffdcd467e14cd558f
SHA256b2868664ac8e06a5c33b650d24342f6094d0452c481b41bcdbf39ebde572f3b2
SHA512ec800e9e28dec8ddce9ddba03a90795cef22947860eb896ad5fbf24215737c38228fc207adc97270584874f0ce66e5c1fffea51fc2393c7fe56b52bf536467ce