Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 09:41
Behavioral task
behavioral1
Sample
a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe
-
Size
138KB
-
MD5
a648da1b92d2e19564da7141abd6a568
-
SHA1
76c8d878b4e6b5fadaea382a2eb910c1608fd1de
-
SHA256
c7d5ccb45fb3d0fa4b91ae0123c3443975769176aa15ccc24def13d6dd8e812d
-
SHA512
eb0ae9f673356ddf4dd692cfe9ff037a4614d83f5d132f766fd4a0750b548d7b3ba92cf38a1c73f4d150f2387cf20d5dc5e063ae6d1cbab553eb0e96174e61db
-
SSDEEP
1536:icZdCROWxp1sYEPKJ8q5LLF6n1DDE+IwL2cPj7qEYa9YzeGwf1dP0unZnouy8:iwCcWxp1R5hLsDE+52UqER+gTdJout
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xal6whv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\11np.exe" a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 11np.exe -
Deletes itself 1 IoCs
pid Process 2420 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2924 11np.exe 2424 11np.exe 1480 11np.exe -
Loads dropped DLL 4 IoCs
pid Process 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 2924 11np.exe 2924 11np.exe -
resource yara_rule behavioral1/memory/2268-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0020000000018b03-13.dat upx behavioral1/memory/2268-25-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2424-34-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2924-36-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2424-37-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2424-38-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1480-48-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1480-49-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\h95oj1.log 11np.exe File opened for modification C:\Windows\SysWOW64\h95oj1.log 11np.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2136 sc.exe 2008 sc.exe 1572 sc.exe 1436 sc.exe 2192 sc.exe 2992 sc.exe 1988 sc.exe 2444 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11np.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11np.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11np.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main 11np.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main 11np.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main 11np.exe -
Runs net.exe
-
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 2924 11np.exe 2924 11np.exe 2924 11np.exe 2424 11np.exe 2424 11np.exe 2424 11np.exe 1480 11np.exe 1480 11np.exe 1480 11np.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2836 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2836 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2836 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2836 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 31 PID 2268 wrote to memory of 2192 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 32 PID 2268 wrote to memory of 2192 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 32 PID 2268 wrote to memory of 2192 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 32 PID 2268 wrote to memory of 2192 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 32 PID 2268 wrote to memory of 2864 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 34 PID 2268 wrote to memory of 2864 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 34 PID 2268 wrote to memory of 2864 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 34 PID 2268 wrote to memory of 2864 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 34 PID 2268 wrote to memory of 2992 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 36 PID 2268 wrote to memory of 2992 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 36 PID 2268 wrote to memory of 2992 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 36 PID 2268 wrote to memory of 2992 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 36 PID 2268 wrote to memory of 2924 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 39 PID 2268 wrote to memory of 2924 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 39 PID 2268 wrote to memory of 2924 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 39 PID 2268 wrote to memory of 2924 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 39 PID 2864 wrote to memory of 2724 2864 net.exe 40 PID 2864 wrote to memory of 2724 2864 net.exe 40 PID 2864 wrote to memory of 2724 2864 net.exe 40 PID 2864 wrote to memory of 2724 2864 net.exe 40 PID 2836 wrote to memory of 2776 2836 net.exe 41 PID 2836 wrote to memory of 2776 2836 net.exe 41 PID 2836 wrote to memory of 2776 2836 net.exe 41 PID 2836 wrote to memory of 2776 2836 net.exe 41 PID 2268 wrote to memory of 2420 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 42 PID 2268 wrote to memory of 2420 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 42 PID 2268 wrote to memory of 2420 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 42 PID 2268 wrote to memory of 2420 2268 a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe 42 PID 2924 wrote to memory of 288 2924 11np.exe 44 PID 2924 wrote to memory of 288 2924 11np.exe 44 PID 2924 wrote to memory of 288 2924 11np.exe 44 PID 2924 wrote to memory of 288 2924 11np.exe 44 PID 2924 wrote to memory of 1988 2924 11np.exe 45 PID 2924 wrote to memory of 1988 2924 11np.exe 45 PID 2924 wrote to memory of 1988 2924 11np.exe 45 PID 2924 wrote to memory of 1988 2924 11np.exe 45 PID 2924 wrote to memory of 1580 2924 11np.exe 48 PID 2924 wrote to memory of 1580 2924 11np.exe 48 PID 2924 wrote to memory of 1580 2924 11np.exe 48 PID 2924 wrote to memory of 1580 2924 11np.exe 48 PID 2924 wrote to memory of 2444 2924 11np.exe 49 PID 2924 wrote to memory of 2444 2924 11np.exe 49 PID 2924 wrote to memory of 2444 2924 11np.exe 49 PID 2924 wrote to memory of 2444 2924 11np.exe 49 PID 2924 wrote to memory of 2424 2924 11np.exe 50 PID 2924 wrote to memory of 2424 2924 11np.exe 50 PID 2924 wrote to memory of 2424 2924 11np.exe 50 PID 2924 wrote to memory of 2424 2924 11np.exe 50 PID 288 wrote to memory of 1352 288 net.exe 53 PID 288 wrote to memory of 1352 288 net.exe 53 PID 288 wrote to memory of 1352 288 net.exe 53 PID 288 wrote to memory of 1352 288 net.exe 53 PID 1580 wrote to memory of 708 1580 net.exe 54 PID 1580 wrote to memory of 708 1580 net.exe 54 PID 1580 wrote to memory of 708 1580 net.exe 54 PID 1580 wrote to memory of 708 1580 net.exe 54 PID 2424 wrote to memory of 1348 2424 11np.exe 55 PID 2424 wrote to memory of 1348 2424 11np.exe 55 PID 2424 wrote to memory of 1348 2424 11np.exe 55 PID 2424 wrote to memory of 1348 2424 11np.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a648da1b92d2e19564da7141abd6a568_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
PID:2776
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵
- System Location Discovery: System Language Discovery
PID:2724
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\11np.exeC:\Users\Admin\AppData\Local\Temp\11np.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵
- System Location Discovery: System Language Discovery
PID:1352
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1988
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵
- System Location Discovery: System Language Discovery
PID:708
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2444
-
-
C:\Users\Admin\AppData\Local\Temp\11np.exeC:\Users\Admin\AppData\Local\Temp\11np.exe -dB9AA7D97FB3C4D9266979FB8581C33C006D91077594275A3A7C230B32DF69FC47D06F7DF3D5381F2E288E6815468CAEF9B993E81036DD8FC5D69710244F7CF6C8F02D6615D90E9005267A02907CD0D08BFBB1154D0AEA25E6FC7EB83BE5DA5D9411728233517F9525784EA8F1AD2FFAB62A9B596397F67202013DCE3E49146FE2227398CDDEB68BCD3E2217476A3E763B6469786F7F4FCBDEF73C0A5409F16C1055097EDB0D62930E686E2B245F449D32C4565A5042577B19E9F55DA9BDBBB61FA950F0A4513728EF1710A80EE7EEAA974DC0B5997AC2CBD2ECB981AFD4F19C6529DAE5575C0B9089678B6221BDDCFF07F3EB6AA2BA8B100E04DC551AF5556019D42C16F5BCEB103B5494478B5F83DE98028D3E97865D9443475590D3B80D7FEAEFED43C4E74507E704D4F23E5F9BA56E62D10A57807BC99EDDF127869D4403795D9B5E5E841CA762621B5C013F3091C624E592662A3ACB30ABBED75436377DBA4297147012B964C7A8793F4EA1831A6E60CDB95B1D34030CD9C264D11B8A17C6A4D558DB3D968974D10461352A676C7A3B803011DE24D22B7763AAF5D85223BB929EE563⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"4⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵
- System Location Discovery: System Language Discovery
PID:580
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2136
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"5⤵
- System Location Discovery: System Language Discovery
PID:764
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2008
-
-
-
C:\Users\Admin\AppData\Local\Temp\11np.exeC:\Users\Admin\AppData\Local\Temp\11np.exe -dDCCF49A373B4D30C8C7D8CABFCB8897AB6696007BFA4BD6BE287C7440BD094CF6F143018E48A12611C76EC8BA5993316CDCFE15EE98737138CB882F1AC1F3D9ECF42FE49AE6313FAF9CCB83118D24D482327F8AB62ED949C1BB9E087749841C9ADC9A1BE0C212AB522EDEEBB5F8CBCE707C7B196034B4B082F1EFEBE0C8FA510FBF345F37536ED25D9EECB98C213A7360BE75B59E4E80F5FAA30385B5DB2AF7AEAB6572EA5FA302A9FC8CB82CB6471D0016A813E5F7CD613ACA22DBD90A2E239EA97848D92D909E03558AC3542C3BFEDF848F1B20D4FD5579643B9370EB905ECAD63BA4476B3CC629C606AF831F97736437BB791C7B5814409B3F97280761C4924FF2599CB470EBF14EE4379E0ADBE7971D92264A5878F17E7A14A18CE666C477F3332DA4973A48A201DB3CCD9C4F90E5599BD76006EF3DB50134923239E7A0D2F638EDEE940A4187F78780DE404CCD9FFD3562973B2E4FBA617D24AE7C70CA0E76A2711E4CE63B933CE8EE90AF81D8AC02AF9B7D5B7D5A589D8046FC26B25F895B229F1B4DE758A7D20336A956910A5280CF5C640007DFBDA143B669F810C1E6DFE3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1480 -
C:\Windows\SysWOW64\net.exenet.exe stop "Security Center"4⤵
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"5⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start= DISABLED4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1436
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"5⤵
- System Location Discovery: System Language Discovery
PID:2872
-
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= DISABLED4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1572
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\phvpisznn.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2420
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD5a648da1b92d2e19564da7141abd6a568
SHA176c8d878b4e6b5fadaea382a2eb910c1608fd1de
SHA256c7d5ccb45fb3d0fa4b91ae0123c3443975769176aa15ccc24def13d6dd8e812d
SHA512eb0ae9f673356ddf4dd692cfe9ff037a4614d83f5d132f766fd4a0750b548d7b3ba92cf38a1c73f4d150f2387cf20d5dc5e063ae6d1cbab553eb0e96174e61db
-
Filesize
218B
MD586ba9e547c57d50e4c076e5717356bf0
SHA117125a5c4245f7df57b1291af35817bc36c7fbd9
SHA2563b5c05a442fce80fff11f7c05bbaece2ae053393a8390f5f7477a25a8cdc0e72
SHA5128a6352e9f27269d07a06a74ce1edde0dc6ef346f55c8ae1c02fb356bf48ff13549b7841e40c4b8dddff1208ef4661107b915a198d654b4ab57d3915adac6d4f9