Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 02:43
Static task
static1
Behavioral task
behavioral1
Sample
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe
-
Size
390KB
-
MD5
1464f3dcd4b0d324dba1f25edfdfbc48
-
SHA1
783bc3b80a525a199d8455a770538c6ffc1d9763
-
SHA256
76e44b55cee89612253fc46a745d993c410d9f4c81e18b2b90a2b42dd9f81909
-
SHA512
8f70177a7f0ee6a60880aa6d126ab679763670842db2b49e88e2f8e8e2995f494204687f3591bca0b570b3316d3c0701c29b287cc421c069c427829334044dcc
-
SSDEEP
6144:OHDpevpiZ+BrNgMvrW8L8axJ1jh4LmXJljbPYj0hX/bOV3wobnzLX:OV+piZ+BhPvrW84ch4L0/QjeP0RzL
Malware Config
Extracted
darkcomet
®2050
127solo4ever.no-ip.info:7695
DC_MUTEX-JX4GZZ5
-
InstallPath
MSDCSC\HostServices.exe
-
gencode
jm3NqZerrg9Z
-
install
true
-
offline_keylogger
true
-
password
8621
-
persistence
true
-
reg_key
Microsoft corporation
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\HostServices.exe" 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4704 attrib.exe 3824 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 636 notepad.exe -
Executes dropped EXE 2 IoCs
Processes:
HostServices.exeHostServices.exepid process 688 HostServices.exe 1008 HostServices.exe -
Processes:
resource yara_rule behavioral2/memory/3744-4-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/3744-0-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/3744-2-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/3744-1-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/3744-6-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/3744-8-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/3744-7-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/3744-9-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/3744-10-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/3744-46-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-54-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-56-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-59-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-57-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-60-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-61-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-62-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-63-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-64-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-65-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-66-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-67-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-68-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-69-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-70-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-71-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-72-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-73-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral2/memory/1008-74-0x0000000000400000-0x00000000004CA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exeHostServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft corporation = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\HostServices.exe" 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft corporation = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\HostServices.exe" HostServices.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exeHostServices.exedescription pid process target process PID 1456 set thread context of 3744 1456 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 688 set thread context of 1008 688 HostServices.exe HostServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exeHostServices.exedescription pid process Token: SeIncreaseQuotaPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeSecurityPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeSystemtimePrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeBackupPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeRestorePrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeShutdownPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeDebugPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeUndockPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeManageVolumePrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeImpersonatePrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: 33 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: 34 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: 35 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: 36 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1008 HostServices.exe Token: SeSecurityPrivilege 1008 HostServices.exe Token: SeTakeOwnershipPrivilege 1008 HostServices.exe Token: SeLoadDriverPrivilege 1008 HostServices.exe Token: SeSystemProfilePrivilege 1008 HostServices.exe Token: SeSystemtimePrivilege 1008 HostServices.exe Token: SeProfSingleProcessPrivilege 1008 HostServices.exe Token: SeIncBasePriorityPrivilege 1008 HostServices.exe Token: SeCreatePagefilePrivilege 1008 HostServices.exe Token: SeBackupPrivilege 1008 HostServices.exe Token: SeRestorePrivilege 1008 HostServices.exe Token: SeShutdownPrivilege 1008 HostServices.exe Token: SeDebugPrivilege 1008 HostServices.exe Token: SeSystemEnvironmentPrivilege 1008 HostServices.exe Token: SeChangeNotifyPrivilege 1008 HostServices.exe Token: SeRemoteShutdownPrivilege 1008 HostServices.exe Token: SeUndockPrivilege 1008 HostServices.exe Token: SeManageVolumePrivilege 1008 HostServices.exe Token: SeImpersonatePrivilege 1008 HostServices.exe Token: SeCreateGlobalPrivilege 1008 HostServices.exe Token: 33 1008 HostServices.exe Token: 34 1008 HostServices.exe Token: 35 1008 HostServices.exe Token: 36 1008 HostServices.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HostServices.exepid process 1008 HostServices.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.execmd.execmd.exeHostServices.exeHostServices.exedescription pid process target process PID 1456 wrote to memory of 3744 1456 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 1456 wrote to memory of 3744 1456 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 1456 wrote to memory of 3744 1456 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 1456 wrote to memory of 3744 1456 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 1456 wrote to memory of 3744 1456 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 1456 wrote to memory of 3744 1456 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 1456 wrote to memory of 3744 1456 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 1456 wrote to memory of 3744 1456 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 3744 wrote to memory of 4824 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 3744 wrote to memory of 4824 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 3744 wrote to memory of 4824 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 3744 wrote to memory of 632 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 3744 wrote to memory of 632 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 3744 wrote to memory of 632 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 3744 wrote to memory of 636 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 4824 wrote to memory of 3824 4824 cmd.exe attrib.exe PID 4824 wrote to memory of 3824 4824 cmd.exe attrib.exe PID 4824 wrote to memory of 3824 4824 cmd.exe attrib.exe PID 632 wrote to memory of 4704 632 cmd.exe attrib.exe PID 632 wrote to memory of 4704 632 cmd.exe attrib.exe PID 632 wrote to memory of 4704 632 cmd.exe attrib.exe PID 3744 wrote to memory of 688 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe HostServices.exe PID 3744 wrote to memory of 688 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe HostServices.exe PID 3744 wrote to memory of 688 3744 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe HostServices.exe PID 688 wrote to memory of 1008 688 HostServices.exe HostServices.exe PID 688 wrote to memory of 1008 688 HostServices.exe HostServices.exe PID 688 wrote to memory of 1008 688 HostServices.exe HostServices.exe PID 688 wrote to memory of 1008 688 HostServices.exe HostServices.exe PID 688 wrote to memory of 1008 688 HostServices.exe HostServices.exe PID 688 wrote to memory of 1008 688 HostServices.exe HostServices.exe PID 688 wrote to memory of 1008 688 HostServices.exe HostServices.exe PID 688 wrote to memory of 1008 688 HostServices.exe HostServices.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe PID 1008 wrote to memory of 1376 1008 HostServices.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3824 attrib.exe 4704 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4704 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
PID:636 -
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\HostServices.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\HostServices.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:688 -
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\HostServices.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\HostServices.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:1376
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD51464f3dcd4b0d324dba1f25edfdfbc48
SHA1783bc3b80a525a199d8455a770538c6ffc1d9763
SHA25676e44b55cee89612253fc46a745d993c410d9f4c81e18b2b90a2b42dd9f81909
SHA5128f70177a7f0ee6a60880aa6d126ab679763670842db2b49e88e2f8e8e2995f494204687f3591bca0b570b3316d3c0701c29b287cc421c069c427829334044dcc