Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
105471cd9d4eb09ec42bac2b0290f889_JaffaCakes118.dll
Resource
win7-20240508-en
General
-
Target
105471cd9d4eb09ec42bac2b0290f889_JaffaCakes118.dll
-
Size
532KB
-
MD5
105471cd9d4eb09ec42bac2b0290f889
-
SHA1
eb25bc1ab8a97b3a2b4272938a009fef7de51c05
-
SHA256
7e08634dac987ef53fb2fc692f6788221bde14b3b48cf28650539b0c24c89c41
-
SHA512
32be63e092fc98dd035e385527b084ad49ddc1847e6208ceda8db4bcd19e4bee9b2b781b96c60ca85ff5ca50e14a8dcd7a9da86f654ebf3c56ce5cc4152c8658
-
SSDEEP
6144:0ZLT3A5Dp0HvFIc5vBlcQGSgS62iiiiiSySYSGS+8c8c8AAANA/AA0fMGrgPhclc:0ZL7A5l0711g8onrOcWAqVvv/JYeiJI
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2104 rundll32mgr.exe 2872 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2824 rundll32.exe 2824 rundll32.exe 2104 rundll32mgr.exe 2104 rundll32mgr.exe -
resource yara_rule behavioral1/memory/2104-10-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2104-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2104-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2104-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2104-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2104-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2104-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2872-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2872-617-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2872-620-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\notificationserver.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdxva2_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\skchobj.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\JNTFiltr.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\msoe.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\clock.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\wlsrvc.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CoolType.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\perf_nt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\JSProfilerCore.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\BHOINTL.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libgestures_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRdIF.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ccme_base.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\qipcap64.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll svchost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2092 2824 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2872 WaterMark.exe 2872 WaterMark.exe 2872 WaterMark.exe 2872 WaterMark.exe 2872 WaterMark.exe 2872 WaterMark.exe 2872 WaterMark.exe 2872 WaterMark.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe 2304 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2872 WaterMark.exe Token: SeDebugPrivilege 2304 svchost.exe Token: SeDebugPrivilege 2824 rundll32.exe Token: SeDebugPrivilege 2092 WerFault.exe Token: SeDebugPrivilege 2872 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2104 rundll32mgr.exe 2872 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2824 2244 rundll32.exe 28 PID 2244 wrote to memory of 2824 2244 rundll32.exe 28 PID 2244 wrote to memory of 2824 2244 rundll32.exe 28 PID 2244 wrote to memory of 2824 2244 rundll32.exe 28 PID 2244 wrote to memory of 2824 2244 rundll32.exe 28 PID 2244 wrote to memory of 2824 2244 rundll32.exe 28 PID 2244 wrote to memory of 2824 2244 rundll32.exe 28 PID 2824 wrote to memory of 2104 2824 rundll32.exe 29 PID 2824 wrote to memory of 2104 2824 rundll32.exe 29 PID 2824 wrote to memory of 2104 2824 rundll32.exe 29 PID 2824 wrote to memory of 2104 2824 rundll32.exe 29 PID 2824 wrote to memory of 2092 2824 rundll32.exe 30 PID 2824 wrote to memory of 2092 2824 rundll32.exe 30 PID 2824 wrote to memory of 2092 2824 rundll32.exe 30 PID 2824 wrote to memory of 2092 2824 rundll32.exe 30 PID 2104 wrote to memory of 2872 2104 rundll32mgr.exe 31 PID 2104 wrote to memory of 2872 2104 rundll32mgr.exe 31 PID 2104 wrote to memory of 2872 2104 rundll32mgr.exe 31 PID 2104 wrote to memory of 2872 2104 rundll32mgr.exe 31 PID 2872 wrote to memory of 3032 2872 WaterMark.exe 32 PID 2872 wrote to memory of 3032 2872 WaterMark.exe 32 PID 2872 wrote to memory of 3032 2872 WaterMark.exe 32 PID 2872 wrote to memory of 3032 2872 WaterMark.exe 32 PID 2872 wrote to memory of 3032 2872 WaterMark.exe 32 PID 2872 wrote to memory of 3032 2872 WaterMark.exe 32 PID 2872 wrote to memory of 3032 2872 WaterMark.exe 32 PID 2872 wrote to memory of 3032 2872 WaterMark.exe 32 PID 2872 wrote to memory of 3032 2872 WaterMark.exe 32 PID 2872 wrote to memory of 3032 2872 WaterMark.exe 32 PID 2872 wrote to memory of 2304 2872 WaterMark.exe 33 PID 2872 wrote to memory of 2304 2872 WaterMark.exe 33 PID 2872 wrote to memory of 2304 2872 WaterMark.exe 33 PID 2872 wrote to memory of 2304 2872 WaterMark.exe 33 PID 2872 wrote to memory of 2304 2872 WaterMark.exe 33 PID 2872 wrote to memory of 2304 2872 WaterMark.exe 33 PID 2872 wrote to memory of 2304 2872 WaterMark.exe 33 PID 2872 wrote to memory of 2304 2872 WaterMark.exe 33 PID 2872 wrote to memory of 2304 2872 WaterMark.exe 33 PID 2872 wrote to memory of 2304 2872 WaterMark.exe 33 PID 2304 wrote to memory of 256 2304 svchost.exe 1 PID 2304 wrote to memory of 256 2304 svchost.exe 1 PID 2304 wrote to memory of 256 2304 svchost.exe 1 PID 2304 wrote to memory of 256 2304 svchost.exe 1 PID 2304 wrote to memory of 256 2304 svchost.exe 1 PID 2304 wrote to memory of 332 2304 svchost.exe 2 PID 2304 wrote to memory of 332 2304 svchost.exe 2 PID 2304 wrote to memory of 332 2304 svchost.exe 2 PID 2304 wrote to memory of 332 2304 svchost.exe 2 PID 2304 wrote to memory of 332 2304 svchost.exe 2 PID 2304 wrote to memory of 384 2304 svchost.exe 3 PID 2304 wrote to memory of 384 2304 svchost.exe 3 PID 2304 wrote to memory of 384 2304 svchost.exe 3 PID 2304 wrote to memory of 384 2304 svchost.exe 3 PID 2304 wrote to memory of 384 2304 svchost.exe 3 PID 2304 wrote to memory of 392 2304 svchost.exe 4 PID 2304 wrote to memory of 392 2304 svchost.exe 4 PID 2304 wrote to memory of 392 2304 svchost.exe 4 PID 2304 wrote to memory of 392 2304 svchost.exe 4 PID 2304 wrote to memory of 392 2304 svchost.exe 4 PID 2304 wrote to memory of 432 2304 svchost.exe 5 PID 2304 wrote to memory of 432 2304 svchost.exe 5 PID 2304 wrote to memory of 432 2304 svchost.exe 5 PID 2304 wrote to memory of 432 2304 svchost.exe 5 PID 2304 wrote to memory of 432 2304 svchost.exe 5
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2212
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:1128
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:736
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:832
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1608
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:236
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:988
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1060
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1096
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:3008
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1304
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\105471cd9d4eb09ec42bac2b0290f889_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\105471cd9d4eb09ec42bac2b0290f889_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3032
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 2284⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize133KB
MD5e373c5ef26d2c5f00e9edb4a222f2479
SHA10301cb41c5f06e71268a338ba9796017137e9739
SHA25630bc44fc1cc5328a0e6141f3bf6322aa604854de32ff5e17a7d511cb736aa0f2
SHA512a08617aa87ee6daa98c4d70a3a8dd3ef611098a3d4e5fcd08ce95b58a3313ca7d180fab0434f4a34f05f2ba40c6c610ecbf84a9f1ab39e22f46e0e5d327d91a7
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize129KB
MD5e5280b9b3d8e58f710b2fb9eb1a38c76
SHA18c2cc85b191c990f7c7cd48fed4801a621bc4b6f
SHA256154a6203ec9bb095d031b03323195af43828abbb6a4d3e60114318c83b1f9873
SHA512320e626ff7c1340a9d2997672034da636f73364ed9b1df113d6103cbc8ad0fbd6b24f39b0c329221c19af77a718d479cf7798395afb3e6bbe3285a8af7268433
-
Filesize
60KB
MD5c27dc77f49f2be740e3bf1b64387882e
SHA182f4ce73d55f46e1ecccbf406f9420364a82872f
SHA256a0bac67a54681dcc7ec8204eb959a540356568b06b1a03cec6ec42ed6e9f1715
SHA51214880de329428973dbcc2c726fee09dcc3666ab7aab69e32864577e01216ca8a58ac901d261ad1a84e0d3d6926c328b53d92beb695cc3dd1d6f453a5d853314e