Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 23:00
Static task
static1
Behavioral task
behavioral1
Sample
0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe
-
Size
166KB
-
MD5
0fd88cfe1f9c64397fbea129ab06660a
-
SHA1
681b659890e12af234e38b2e5bb30683bc47218b
-
SHA256
15b77509dd9a565a94678c590ff9c451df621f8f7ca4ec36534f010c49849665
-
SHA512
6c729ca31867e08f5c2450cc84e1bea271109048dbf923ba4bd1ebdd6a3d2250e96952e8fb2e07278b64c49b6a1e329297d0880ca65d2fe9a2dd12719593776b
-
SSDEEP
1536:WNpbWTono2PF9yJH9KBjH7ZoSQoL+Qz6AxAvf/PqhXnzyP5xC1VXfbJpeU4KyQ5V:PdKFOoL16AOHHCRQU4S5GBWVLn
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 3048 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 2708 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2976 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe 2976 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe 3048 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 3048 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe -
resource yara_rule behavioral1/memory/3048-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3048-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3048-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3048-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3048-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3048-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/3048-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2708-42-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2708-554-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Games\More Games\MoreGames.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\deploy.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtextst_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jdwp.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_nv12_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado15.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\lgpllibs.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpnr.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcf.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsTap.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libfile_logger_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasql.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\nio.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\NBDoc.DLL svchost.exe File opened for modification C:\Program Files\Windows Mail\wabimp.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\hprof.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2708 WaterMark.exe 2708 WaterMark.exe 2708 WaterMark.exe 2708 WaterMark.exe 2708 WaterMark.exe 2708 WaterMark.exe 2708 WaterMark.exe 2708 WaterMark.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe 2568 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2708 WaterMark.exe Token: SeDebugPrivilege 2568 svchost.exe Token: SeDebugPrivilege 2708 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3048 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 2708 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2976 wrote to memory of 3048 2976 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe 28 PID 2976 wrote to memory of 3048 2976 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe 28 PID 2976 wrote to memory of 3048 2976 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe 28 PID 2976 wrote to memory of 3048 2976 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe 28 PID 3048 wrote to memory of 2708 3048 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 29 PID 3048 wrote to memory of 2708 3048 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 29 PID 3048 wrote to memory of 2708 3048 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 29 PID 3048 wrote to memory of 2708 3048 0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe 29 PID 2708 wrote to memory of 2728 2708 WaterMark.exe 30 PID 2708 wrote to memory of 2728 2708 WaterMark.exe 30 PID 2708 wrote to memory of 2728 2708 WaterMark.exe 30 PID 2708 wrote to memory of 2728 2708 WaterMark.exe 30 PID 2708 wrote to memory of 2728 2708 WaterMark.exe 30 PID 2708 wrote to memory of 2728 2708 WaterMark.exe 30 PID 2708 wrote to memory of 2728 2708 WaterMark.exe 30 PID 2708 wrote to memory of 2728 2708 WaterMark.exe 30 PID 2708 wrote to memory of 2728 2708 WaterMark.exe 30 PID 2708 wrote to memory of 2728 2708 WaterMark.exe 30 PID 2708 wrote to memory of 2568 2708 WaterMark.exe 31 PID 2708 wrote to memory of 2568 2708 WaterMark.exe 31 PID 2708 wrote to memory of 2568 2708 WaterMark.exe 31 PID 2708 wrote to memory of 2568 2708 WaterMark.exe 31 PID 2708 wrote to memory of 2568 2708 WaterMark.exe 31 PID 2708 wrote to memory of 2568 2708 WaterMark.exe 31 PID 2708 wrote to memory of 2568 2708 WaterMark.exe 31 PID 2708 wrote to memory of 2568 2708 WaterMark.exe 31 PID 2708 wrote to memory of 2568 2708 WaterMark.exe 31 PID 2708 wrote to memory of 2568 2708 WaterMark.exe 31 PID 2568 wrote to memory of 256 2568 svchost.exe 1 PID 2568 wrote to memory of 256 2568 svchost.exe 1 PID 2568 wrote to memory of 256 2568 svchost.exe 1 PID 2568 wrote to memory of 256 2568 svchost.exe 1 PID 2568 wrote to memory of 256 2568 svchost.exe 1 PID 2568 wrote to memory of 332 2568 svchost.exe 2 PID 2568 wrote to memory of 332 2568 svchost.exe 2 PID 2568 wrote to memory of 332 2568 svchost.exe 2 PID 2568 wrote to memory of 332 2568 svchost.exe 2 PID 2568 wrote to memory of 332 2568 svchost.exe 2 PID 2568 wrote to memory of 380 2568 svchost.exe 3 PID 2568 wrote to memory of 380 2568 svchost.exe 3 PID 2568 wrote to memory of 380 2568 svchost.exe 3 PID 2568 wrote to memory of 380 2568 svchost.exe 3 PID 2568 wrote to memory of 380 2568 svchost.exe 3 PID 2568 wrote to memory of 396 2568 svchost.exe 4 PID 2568 wrote to memory of 396 2568 svchost.exe 4 PID 2568 wrote to memory of 396 2568 svchost.exe 4 PID 2568 wrote to memory of 396 2568 svchost.exe 4 PID 2568 wrote to memory of 396 2568 svchost.exe 4 PID 2568 wrote to memory of 432 2568 svchost.exe 5 PID 2568 wrote to memory of 432 2568 svchost.exe 5 PID 2568 wrote to memory of 432 2568 svchost.exe 5 PID 2568 wrote to memory of 432 2568 svchost.exe 5 PID 2568 wrote to memory of 432 2568 svchost.exe 5 PID 2568 wrote to memory of 476 2568 svchost.exe 6 PID 2568 wrote to memory of 476 2568 svchost.exe 6 PID 2568 wrote to memory of 476 2568 svchost.exe 6 PID 2568 wrote to memory of 476 2568 svchost.exe 6 PID 2568 wrote to memory of 476 2568 svchost.exe 6 PID 2568 wrote to memory of 492 2568 svchost.exe 7 PID 2568 wrote to memory of 492 2568 svchost.exe 7 PID 2568 wrote to memory of 492 2568 svchost.exe 7 PID 2568 wrote to memory of 492 2568 svchost.exe 7 PID 2568 wrote to memory of 492 2568 svchost.exe 7 PID 2568 wrote to memory of 500 2568 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1280
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:836
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1164
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2900
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:280
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1008
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1064
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1100
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2152
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2140
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\0fd88cfe1f9c64397fbea129ab06660a_JaffaCakes118mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2728
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize206KB
MD57c6cd54465d84e3f366d564860802209
SHA10ff9657d25a4ece30a9931b76ff1717d5be04336
SHA2566c784bb99d9f9e1b7a395d13e50da6cf1ebe5494eda53d397c9ec335ad23e03b
SHA512605beb905a726e0303553dbb164c026ad5d1de65f5b17adaada67d15c9d894e8a1234e08039f2f5384f045ab06d7f62b9c1653c8da3b0a2b101fae8a4144fa38
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize202KB
MD552bcd1ac1a6e6b1db552801525b76132
SHA10660d9792c617df6bb6642fa23c894216198216e
SHA256383ae2710e49239a15c4b3712e011288b16e014c5af0e0551f672e20514a5089
SHA51255e574eaa733999794e6af842689b6ae8417c639e94c1b02a071ff5938c3b9cce9015c64f7eeb92589558b8830871689e10c314d29a7c8d0d1fd9af542cfffb3
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837