Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 07:41
Static task
static1
Behavioral task
behavioral1
Sample
c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe
-
Size
70KB
-
MD5
c28df91181f376b966d558fd74b33efd
-
SHA1
3a5881092174ef953d427773d43b8c31d8edd1e5
-
SHA256
c7c6223c4bf0cde83792b7d19497da7572b42e3ff4b0659f7c379b47c51708c9
-
SHA512
237a84305f3a862acc5951dd4af3aeb9630feebaa94967dd89db0ce56abd4e4ca7487199fbe8f813ea663591f02780fcd9eaf901206d95975082ce1ebb4abeca
-
SSDEEP
1536:NYaXzJk4lKgkR3hA039o+vBpb/H7NEDVz+kTQpH5M:NhyVR3H397BpjsokToH5
Malware Config
Signatures
-
Renames multiple (215) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 4860 Logo1_.exe 3716 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" Logo1_.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\bin\serialver.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\javaw.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe.Exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.Exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe Logo1_.exe File created C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.Exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.Exe Logo1_.exe File created C:\Program Files\Java\jre-1.8\bin\javacpl.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe.Exe Logo1_.exe File created C:\Program Files\Java\jre-1.8\bin\kinit.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe.Exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe Logo1_.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.Exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe.Exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\javaws.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe.Exe Logo1_.exe File created C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.Exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe Logo1_.exe File created C:\Program Files\dotnet\dotnet.exe.Exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe File opened for modification C:\Windows\uninstall\rundl132.exe Logo1_.exe File created C:\Windows\RichDll.dll Logo1_.exe File created C:\Windows\uninstall\rundl132.exe c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe 4860 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2928 wrote to memory of 3472 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 86 PID 2928 wrote to memory of 3472 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 86 PID 2928 wrote to memory of 3472 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 86 PID 3472 wrote to memory of 1352 3472 net.exe 88 PID 3472 wrote to memory of 1352 3472 net.exe 88 PID 3472 wrote to memory of 1352 3472 net.exe 88 PID 2928 wrote to memory of 844 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 92 PID 2928 wrote to memory of 844 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 92 PID 2928 wrote to memory of 844 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 92 PID 2928 wrote to memory of 4860 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 94 PID 2928 wrote to memory of 4860 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 94 PID 2928 wrote to memory of 4860 2928 c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe 94 PID 844 wrote to memory of 3716 844 cmd.exe 95 PID 844 wrote to memory of 3716 844 cmd.exe 95 PID 844 wrote to memory of 3716 844 cmd.exe 95 PID 4860 wrote to memory of 5112 4860 Logo1_.exe 96 PID 4860 wrote to memory of 5112 4860 Logo1_.exe 96 PID 4860 wrote to memory of 5112 4860 Logo1_.exe 96 PID 5112 wrote to memory of 2816 5112 net.exe 98 PID 5112 wrote to memory of 2816 5112 net.exe 98 PID 5112 wrote to memory of 2816 5112 net.exe 98 PID 4860 wrote to memory of 3608 4860 Logo1_.exe 99 PID 4860 wrote to memory of 3608 4860 Logo1_.exe 99 PID 4860 wrote to memory of 3608 4860 Logo1_.exe 99 PID 3608 wrote to memory of 4528 3608 net.exe 101 PID 3608 wrote to memory of 4528 3608 net.exe 101 PID 3608 wrote to memory of 4528 3608 net.exe 101 PID 4860 wrote to memory of 3524 4860 Logo1_.exe 56 PID 4860 wrote to memory of 3524 4860 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:1352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8424.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c28df91181f376b966d558fd74b33efd_JaffaCakes118.exe"4⤵
- Executes dropped EXE
PID:3716
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4528
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
603KB
MD5e06d406678cc8d0e514cb0324f8a1d4b
SHA12111af41f93cad49281476b5341ca2828c055f7c
SHA256be326523a0a393371588ca9af9f34a419f333758bb1d0d90dcfb738da96f4db0
SHA51220fa6757a307ca7d92e0888dc0f1151c91a22758e9f50cd80c352e08f441a4d0160cebf1c67057bf7817a582b9f77b6704858f96e56c52f9727c4f522d14ee5b
-
Filesize
614B
MD56520f397fc04e94cf530d2cab0194724
SHA1ff749c040f56be119fb4d60736f79f60c815a76c
SHA25621df893558dcec2abdb2760eaff61ad8a6e2f98c76044c0e7dc10dc37741b8a0
SHA512e8c13b2347e68384c6b98f4f82999f63671ef3daea4c6ab0a9c639b0eadf996a47f6c5cb450f3f6b42c0e8afb3c084ae8dca2b224dd0bebec0926a8c8bdbf61b
-
Filesize
11KB
MD525d3c1a5dce621c2f5c35bde131b32e2
SHA18d1727e136f26bd8386e7237d50cc6b39ca1362e
SHA25653d85864c9c2a58b0d2773c5aaa00d6862a1780acb53625f6e054cb3c2199ad6
SHA512489c7b2aa0cacf8be052249b471883fb7e7ce6e4a178643236e039ae571145307381956ca85c22101aad4dc757ea104146ae7c3938dd492c1c9ef85bf36533a1
-
Filesize
59KB
MD5ae94cf26d3cf1ddfec5acd7270045e54
SHA1575f7b9eedba31fc3dacca8444ae091d369c968e
SHA2565ae541ab2e90eef03ecc84522a6af155985ecb961382e1b81f6238f22ec4472b
SHA512f69ee24775e8e048b80705c7432c11e6f1a6041bad4747a033e48fce3472d8c72d3b0b049316eaba4a8cf14ec840e8e1a65fddcd4f038347996262e48ccc5c27
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47