Analysis
-
max time kernel
440s -
max time network
441s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
encrypter-windows-gui-x86.exe
Resource
win10v2004-20250502-en
General
-
Target
encrypter-windows-gui-x86.exe
-
Size
1.1MB
-
MD5
d0728e075e66bda22bb6c030502a689a
-
SHA1
60c3cce7d1e1921794cd00308efb73f3412384fb
-
SHA256
fb2fe8e18856af09231edefccc7d54b881d8f488f91ff61f4c09995c33aaafce
-
SHA512
773f413ef51bc2493a940011645c40d1f55d06a53e8e60032ed01ad016184d67289a9fd9d3bb8af42fbdca29f0bb927e0137ff4f5f0914ea52b58646051962ef
-
SSDEEP
24576:7u43pl7vAJusc1XsmJxYxm37IZ1EbdOn2XqKP/TMRxYWXE:7r3pl7pexGvdfXqKP/TMRGWXE
Malware Config
Extracted
C:\Program Files\README.TXT
MAIL:[email protected]
https://getsession.org
Signatures
-
Renames multiple (5855) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 2 IoCs
pid Process 4480 szoulvdi.exe 3500 szoulvdi.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E} = "\"C:\\ProgramData\\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\\szoulvdi.exe\" /V-" szoulvdi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E} = "\"C:\\ProgramData\\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\\szoulvdi.exe\" /V-" szoulvdi.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: szoulvdi.exe File opened (read-only) \??\F: szoulvdi.exe File opened (read-only) \??\Z: szoulvdi.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\action_poster.jpg szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Studio.png szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\README.TXT szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-100.png szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Star.png szoulvdi.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo szoulvdi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\README.TXT szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxSignature.p7x szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-24.png szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\README.TXT szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-100_contrast-black.png szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-200.png szoulvdi.exe File created C:\Program Files\Microsoft Office\root\Office16\XLSTART\README.TXT szoulvdi.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\README.TXT szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-100.png szoulvdi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\README.TXT szoulvdi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\README.TXT szoulvdi.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.ELM szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-100_contrast-black.png szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100_contrast-white.png szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\MoveToFolderToastQuickAction.scale-80.png szoulvdi.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml szoulvdi.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}.edukr szoulvdi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-200.png szoulvdi.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}.edukr szoulvdi.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\README.TXT szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\README.TXT szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\ui-strings.js szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-US.PhoneNumber.model szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\PSD2Control.xaml szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\ui-strings.js szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-100.png szoulvdi.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\offlineStrings.js szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-high.png szoulvdi.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\README.TXT szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent.png szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-lightunplated.png szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\README.TXT szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt szoulvdi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x szoulvdi.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96.png szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-100.png szoulvdi.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxManifest.xml szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxSignature.p7x szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\README.TXT szoulvdi.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nothumbnail_34.svg szoulvdi.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat szoulvdi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 10204 4480 WerFault.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language encrypter-windows-gui-x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language szoulvdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language szoulvdi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4480 szoulvdi.exe 3500 szoulvdi.exe 4480 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe 3500 szoulvdi.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3068 encrypter-windows-gui-x86.exe Token: SeTakeOwnershipPrivilege 4480 szoulvdi.exe Token: SeTakeOwnershipPrivilege 3500 szoulvdi.exe Token: SeBackupPrivilege 3908 vssvc.exe Token: SeRestorePrivilege 3908 vssvc.exe Token: SeAuditPrivilege 3908 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3068 wrote to memory of 4480 3068 encrypter-windows-gui-x86.exe 86 PID 3068 wrote to memory of 4480 3068 encrypter-windows-gui-x86.exe 86 PID 3068 wrote to memory of 4480 3068 encrypter-windows-gui-x86.exe 86 PID 1604 wrote to memory of 3500 1604 cmd.exe 89 PID 1604 wrote to memory of 3500 1604 cmd.exe 89 PID 1604 wrote to memory of 3500 1604 cmd.exe 89 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe"C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 15243⤵
- Program crash
PID:10204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe" /V-1⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exeC:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe /V-2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4480 -ip 44801⤵PID:10740
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}.edukr
Filesize2.1MB
MD58387a958cb174e1f7b9be8a5a7673d33
SHA1c6c144e3d42f8f941f53db8cccc724bdc33a938d
SHA256466ba5591cdebf9fb2ee87c9a209c8531d247fdd712c55e6f2f0aef160e507e8
SHA512fb050712efffef2ee5985f5d7e920bede8528d5efacc4f8a52bde4076b8ef223cd02396f654375795971072653c37eb4d70176c12cc8d055fa21b2161300310a
-
Filesize
3KB
MD5f99f7c71d34b1123f0d892e3ccadc7fb
SHA1719a28ee9139f75fabd9eff72cf6b1eee98b3d4d
SHA256423d63cefcaac56016ba83149cb0423d6653397fad78e8a41da71ed48993e550
SHA5129bf96ae8b0d3fb5bdcd5b38f16abb8beaa41c82d72ea937e6a795a02d43a7c5a6d06a0e9d1b65c6da6ee3942fb7ad1b85650cfbf1227374f8fd29bd9a3f8d17c
-
Filesize
1.1MB
MD5d0728e075e66bda22bb6c030502a689a
SHA160c3cce7d1e1921794cd00308efb73f3412384fb
SHA256fb2fe8e18856af09231edefccc7d54b881d8f488f91ff61f4c09995c33aaafce
SHA512773f413ef51bc2493a940011645c40d1f55d06a53e8e60032ed01ad016184d67289a9fd9d3bb8af42fbdca29f0bb927e0137ff4f5f0914ea52b58646051962ef
-
Filesize
576B
MD5432a8b1057c5da436991e46d3d6a853b
SHA132d30803e27778d1465c690a12dba766468c0dd2
SHA25652aa6764fd7d9351012db0ad3162dde1ec960a4282638dc147547796606f14af
SHA5123b298027b408cb5428e8ec3300ed135606a5f93702e5ba7510bc3aee50eeca040a8ec63d2304b1b4f1cfce90dae90b581307dbb22cbe4f0049e27eab06079fe6
-
Filesize
609B
MD53ca81c358e87ab45344063040983a66b
SHA18e80c1e5f8ea843579fdcb91a5e32447e0ccbb28
SHA256148e6ac4213eb6a567bdcb93d20686dbabb68e5783fd1156ef905578a360128d
SHA51244e00054ff2c5b1699d1aa43d3164fbee03da17cfdd7b6285ac0903fae03f5b7716c5ef006e763dea28df77979069f644c486737b49565ca71390b1ba07eee02