Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 08:26
Static task
static1
Behavioral task
behavioral1
Sample
2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe
-
Size
2.8MB
-
MD5
54cf9ec843c9722df240cb6a72557843
-
SHA1
93ef940092574d4dbb4bf997a3ba67e875c79a20
-
SHA256
5594a874d100e3e32d43273973cb09376a09ad4df20e0d74912af9ae8d2da96b
-
SHA512
a28a001112ffda39d66d9f7f52165de118fa1baf9b8babc5e5ba63f4cdd769057cf8af9698b3259c57346bc6e00d9c4defa7d04e4ee9c5644463951a6fccdd03
-
SSDEEP
49152:cYpXVmyjkeKRLbRHkqvlStQyfvE0Z3R0nxiIq2dsuH+Dj3IbmMl:ZpXVRjkeKRfrKtQRq2tEMl
Malware Config
Signatures
-
Detects Mofksys worm 5 IoCs
resource yara_rule behavioral1/files/0x0007000000024248-8.dat family_mofksys behavioral1/files/0x000800000002424c-15.dat family_mofksys behavioral1/files/0x000800000002424e-24.dat family_mofksys behavioral1/files/0x0008000000024250-38.dat family_mofksys behavioral1/files/0x000900000002424f-49.dat family_mofksys -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Mofksys family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" svchost.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\mbamtestfile.dat 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\mbamtestfile.dat 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe -
Executes dropped EXE 8 IoCs
pid Process 3080 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 264 icsys.icn.exe 5260 explorer.exe 5800 spoolsv.exe 5028 svchost.exe 2276 spoolsv.exe 4720 explorer.exe 4872 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\mbamtestfile.dat 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe File created C:\Program Files (x86)\mbamtestfile.dat 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language at.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3080 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 3080 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 264 icsys.icn.exe 264 icsys.icn.exe 5260 explorer.exe 5260 explorer.exe 5260 explorer.exe 5260 explorer.exe 5260 explorer.exe 5260 explorer.exe 5260 explorer.exe 5260 explorer.exe 5028 svchost.exe 5028 svchost.exe 5028 svchost.exe 5028 svchost.exe 5260 explorer.exe 5260 explorer.exe 5028 svchost.exe 5028 svchost.exe 5028 svchost.exe 5028 svchost.exe 5260 explorer.exe 5260 explorer.exe 5028 svchost.exe 5028 svchost.exe 5028 svchost.exe 5028 svchost.exe 5028 svchost.exe 5028 svchost.exe 5260 explorer.exe 5260 explorer.exe 5028 svchost.exe 5028 svchost.exe 5028 svchost.exe 5028 svchost.exe 5260 explorer.exe 5260 explorer.exe 5260 explorer.exe 5260 explorer.exe 5028 svchost.exe 5028 svchost.exe 5260 explorer.exe 5260 explorer.exe 5260 explorer.exe 5260 explorer.exe 5028 svchost.exe 5028 svchost.exe 5260 explorer.exe 5260 explorer.exe 5028 svchost.exe 5028 svchost.exe 5260 explorer.exe 5260 explorer.exe 5028 svchost.exe 5028 svchost.exe 5260 explorer.exe 5260 explorer.exe 5028 svchost.exe 5028 svchost.exe 5260 explorer.exe 5260 explorer.exe 5028 svchost.exe 5028 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5260 explorer.exe 5028 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3080 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 5412 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 5412 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 264 icsys.icn.exe 264 icsys.icn.exe 5260 explorer.exe 5260 explorer.exe 5800 spoolsv.exe 5800 spoolsv.exe 5028 svchost.exe 5028 svchost.exe 2276 spoolsv.exe 2276 spoolsv.exe 5260 explorer.exe 5260 explorer.exe 4720 explorer.exe 4720 explorer.exe 4872 svchost.exe 4872 svchost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 5412 wrote to memory of 3080 5412 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 88 PID 5412 wrote to memory of 3080 5412 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 88 PID 5412 wrote to memory of 3080 5412 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 88 PID 5412 wrote to memory of 264 5412 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 89 PID 5412 wrote to memory of 264 5412 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 89 PID 5412 wrote to memory of 264 5412 2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe 89 PID 264 wrote to memory of 5260 264 icsys.icn.exe 90 PID 264 wrote to memory of 5260 264 icsys.icn.exe 90 PID 264 wrote to memory of 5260 264 icsys.icn.exe 90 PID 5260 wrote to memory of 5800 5260 explorer.exe 92 PID 5260 wrote to memory of 5800 5260 explorer.exe 92 PID 5260 wrote to memory of 5800 5260 explorer.exe 92 PID 5800 wrote to memory of 5028 5800 spoolsv.exe 93 PID 5800 wrote to memory of 5028 5800 spoolsv.exe 93 PID 5800 wrote to memory of 5028 5800 spoolsv.exe 93 PID 5028 wrote to memory of 2276 5028 svchost.exe 94 PID 5028 wrote to memory of 2276 5028 svchost.exe 94 PID 5028 wrote to memory of 2276 5028 svchost.exe 94 PID 5028 wrote to memory of 4836 5028 svchost.exe 100 PID 5028 wrote to memory of 4836 5028 svchost.exe 100 PID 5028 wrote to memory of 4836 5028 svchost.exe 100 PID 3320 wrote to memory of 4720 3320 cmd.exe 102 PID 3320 wrote to memory of 4720 3320 cmd.exe 102 PID 3320 wrote to memory of 4720 3320 cmd.exe 102 PID 3680 wrote to memory of 4872 3680 cmd.exe 103 PID 3680 wrote to memory of 4872 3680 cmd.exe 103 PID 3680 wrote to memory of 4872 3680 cmd.exe 103 PID 5028 wrote to memory of 3176 5028 svchost.exe 121 PID 5028 wrote to memory of 3176 5028 svchost.exe 121 PID 5028 wrote to memory of 3176 5028 svchost.exe 121 PID 5028 wrote to memory of 5128 5028 svchost.exe 124 PID 5028 wrote to memory of 5128 5028 svchost.exe 124 PID 5028 wrote to memory of 5128 5028 svchost.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5412 -
\??\c:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exec:\users\admin\appdata\local\temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe2⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3080
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:264 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5260 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5800 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2276
-
-
C:\Windows\SysWOW64\at.exeat 08:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:4836
-
-
C:\Windows\SysWOW64\at.exeat 08:30 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:3176
-
-
C:\Windows\SysWOW64\at.exeat 08:31 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
- System Location Discovery: System Language Discovery
PID:5128
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe RO2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4872
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2025-05-20_54cf9ec843c9722df240cb6a72557843_amadey_black-basta_darkgate_elex_luca-stealer.exe
Filesize2.6MB
MD56b3b44639456a3230e3838d0d2202939
SHA16aa554f51497c21d684d80fdf363e23b8f1f28f2
SHA256eedb91d5c57418231eaf086f3739353392fa83267075bc50de2cabd11db66c1f
SHA512fab38b9b7d587aed6f2ab267cf9afa878213832b86cc00519e0cf5880072aa95516796131afe87d641fe113f2041eef52988845df15b716330de0080bf5ccfea
-
Filesize
206KB
MD5bdc833c683e49c6fa840b3ba6441ce72
SHA194e0f44c168f422baaef115f34b77e1bb6c85a34
SHA25679a0ecb25f9100cd6486903402c6d23aab951c40272a9a73f718b9b2d1d1ace7
SHA512994ad2f4906cb613c9bc06b60c865d0cddc3b3232b68687d2268fe5fca91d470de081f94bbae3a6684e23947b5e50c26282ab290c7207e899c32b595b4ec941c
-
Filesize
206KB
MD5c55142ca12bfff5353878e227ddab7d0
SHA135a00d6322ec17b1797d89bec54301d5403bc4b3
SHA2567d06f51613ca85af339fe6e7b7b60bf151b56714bb26ff34b58a3bacc7bb689d
SHA5122e7de9a6f51c4fe0dfbf440415e8ae04f5409e7054a3ba175fc5df5fbd8621251b109e3119997d907676269c6fa4d38d6597b55a475b8350813e4ca056522834
-
Filesize
206KB
MD52c90d252da433e45aa8ebf2e7cb2ab9c
SHA10d5cb04f0de19a307c22c03d59cce17f6809294b
SHA256f651950d521d58d65788b92891fa9859d3807267cb6736046b215bfc4dfd6963
SHA512ca1208ec933b1b7bb976604e7cf74cbffef3661c58c9616d3a553ab8dbf8e7a8c57aeae59abf54d42f6746430c93e78703f7c6fe29ddd280d0f4b1e891f44ba7
-
Filesize
206KB
MD5b5db216a87da8960eadd0ea90513aa8e
SHA113e630ec9d9771683f93a9a92b3c50ef04c7715d
SHA256991522bed9c11c418fbc04558da4a62c9c93902e07b2d06c58207fc1ccd467b2
SHA512a703a0702be6eba476b4eb762739014471c921624d71e7694711a7a960897b39adc5ec31c3fa05078f38bdaa0b8c52c008192ecd8be133210da3b30548c0f3bf
-
Filesize
206KB
MD59e2f9a5f838c18cc520cfb86ae660048
SHA1c24895dda76eceb87c56151426a3987058482d05
SHA2569461d7fe275eb242bfbcf658148ae7d477af91d25ae8d1c987a116dcf0fd64ef
SHA512334b32bf27a40af0e6839437f01f0344c97f9d685d9dfa4e7e0d587687e59745b961a5d2b9342e71966b3cd0276b2f86bab3e758d549bc50868119e269f7659b