Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 19:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe
-
Size
253KB
-
MD5
f6b09f164d9dff2942d2977e10f0f121
-
SHA1
c7c78e6a15faeb4fc81dce878d629b3ccc0ca811
-
SHA256
f3a6e5010278054ba42e8c388598096c3d6528cd3550c60b2687c2e4bf0522c3
-
SHA512
45bc7dd718f4b1bbe2df3e6616b156eb661a40dfa34335a46f1f7f1cb396e9cb51a4970baa9c46387f02518fd5464168b9cb930bf6d2c67e186b79b620455f27
-
SSDEEP
6144:kRXdt7KzrIU2ykH2ipsPnafFlerkb3LrtoetumddZR6wkB:6z7KzrIjXnOitlt3Noer
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
resource yara_rule behavioral1/memory/2360-13-0x0000000000400000-0x0000000000447000-memory.dmp modiloader_stage2 behavioral1/memory/2416-32-0x0000000000400000-0x0000000000447000-memory.dmp modiloader_stage2 behavioral1/memory/2416-33-0x0000000000400000-0x0000000000447000-memory.dmp modiloader_stage2 behavioral1/memory/2360-34-0x0000000000400000-0x0000000000447000-memory.dmp modiloader_stage2 behavioral1/memory/2416-44-0x0000000000400000-0x0000000000447000-memory.dmp modiloader_stage2 -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\server = "C:\\Windows\\server.exe" server.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{HC06N7DC-2L82-FB74-5D8L-R623TE8OYETJ} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{HC06N7DC-2L82-FB74-5D8L-R623TE8OYETJ}\StubPath = "\"C:\\Windows\\server.exe\"" server.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate server.exe -
Executes dropped EXE 1 IoCs
pid Process 2416 server.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum server.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 server.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\PCGWIN32.LI4 f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe File created C:\Windows\server.exe f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe File opened for modification C:\Windows\server.exe f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe File opened for modification C:\Windows\PCGWIN32.LI4 server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString server.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 server.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier server.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\{097421CA-3E3E050A-5413DCD4-C5785A64} f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C} f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C} server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{097421CA-3E3E050A-5413DCD4-C5785A64}\ = 7cf23712ee4d36282f5636bfdfd979b8e01f60f9975b4e42167571dcdcb838deddf9c45843f97a18e339d25f454603f10a9bb385255f7c06624b70d6cdedbf68195180b89823ba7d1ce4fb6ee5b78fe11688b1d294fa8f6236ed9fd7c6f1df53c6f2e1d2dc32f9d3dc72c755de7086d7d04e7e89a7eb4e9516c30f2ab6522e0b17723e9ba7c501b37c1da5b82ca017ba0e22a9bb0c650bbc529bf5fddc9b38fd5fd8467b4fda56fd71e41c81857f2ca6555e4007bc3e18a7fdc1e737516e30f7292e5409c30cd248044f43d66ab0b590e03eb45912808d0dab14cdc06bb452908370f25fac0636de6f3876db51ba789b5d7d7818273b6ea29614400d65f4209d8db8f42512a0834a85f3a3ed1d37c4dec287aabe0b666a7f5526bfdf1906c401dc307aa35bc5fa43a2b26d9a8bbccde4ebbf35269c9179b89f58f905a31c02c745de40f98e98e846a87f112678bf5f59b9b8e3a3a5d540b3f9255ce0ba3564207f23e6a2d03372e5656f90763f9fe679ff1c66fa301ceb076d5e34392363927a3ba3221d3578dca3b8c5dc7f44e6a1ce9c3645dfe0868e8fb636d0af404985ec60ea7d0ae4eded88174a7e931975f8ec658903efe2e97a0fe596038e3276e36f5a3604af3f36661fd106075e3e39d964bf6d99e8c3978d8e08094b53cdbf6cc87154ac43eac3469a12c5206d3dbad6cb3ccc260501da897018815a1eebb947b5198ecc65ef05323bf0f65721e743c86a f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{097421CA-3E3E050A-5413DCD4-C5785A64}\ = 7cf23712ee4d36282f5636bfdfd979b8e01f60f9975b4e42167571dcdcb838deddf9c45843f97a18e339d25f454603f10a9bb385255f7c0667c0be22caedbf68195180b89823ba7d1ce4fb6ee5b78fe11688b1d294fa8f6236ed9fd7c6f1df53c6f2e1d2dc32f9d3dc72c755de7086d7d04e7e89a7eb4e9516c30f2ab6522e0b17723e9ba7c501b37c1da5b82ca017ba0e22a9bb0c650bbc529bf5fddc9b38fd5fd8467b4fda56fd71e41c81857f2ca6555e4007bc3e18a7fdc1e737516e30f7292e5409c30cd248044f43d66ab0b590e03eb45912808d0dab14cdc06bb452908370f25fac0636de6f3876db51ba789b5d7d7818273b6ea29614400d65f4209d8db8f42512a0834a85f3a3ed1d37c4dec287aabe0b666a7f5526bfdf1906c401dc307aa35bc5fa43a2b26d9a8bbccde4ebbf35269c9179b89f58f905a31c02c745de40f98e98e846a87f112678bf5f59b9b8e3a3a5d540b3f9255ce0ba3564207f23e6a2d03372e5656f90763f9fe679ff1c66fa301ceb076d5e34392363927a3ba3221d3578dca3b8c5dc7f44e6a1ce9c3645dfe0868e8fb636d0af404985ec60ea7d0ae4eded88174a7e931975f8ec658903efe2e97a0fe596038e3276e36f5a3604af3f36661fd106075e3e39d964bf6d99e8c3978d8e08094b53cdbf6cc87154ac43eac3469a12c5206d3dbad6cb3ccc260501da897018815a1eebb947b5198ecc65ef05323bf0f65721f52070af f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}\ = "2631623744" f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{097421CA-3E3E050A-5413DCD4-C5785A64}\ = 7cf23712ee4d36282f5636bfdfd979b8e01f60f9975b4e42167571dcdcb838deddf9c45843f97a18e339d25f454603f10a9bb385255f7c0667c0be22caedbf6859355b249823ba7d1ce4fb6ee5b78fe11688b1d294fa8f6236ed9fd7c6f1df53c6f2e1d2dc32f9d3dc72c755de7086d7d04e7e89a7eb4e9516c30f2ab6522e0b17723e9ba7c501b37c1da5b82ca017ba0e22a9bb0c650bbc529bf5fddc9b38fd5fd8467b4fda56fd71e41c81857f2ca6555e4007bc3e18a7fdc1e737516e30f7292e5409c30cd248044f43d66ab0b590e03eb45912808d0dab14cdc06bb452908370f25fac0636de6f3876db51ba789b5d7d7818273b6ea29614400d65f4209d8db8f42512a0834a85f3a3ed1d37c4dec287aabe0b666a7f5526bfdf1906c401dc307aa35bc5fa43a2b26d9a8bbccde4ebbf35269c9179b89f58f905a31c02c745de40f98e98e846a87f112678bf5f59b9b8e3a3a5d540b3f9255ce0ba3564207f23e6a2d03372e5656f90763f9fe679ff1c66fa301ceb076d5e34392363927a3ba3221d3578dca3b8c5dc7f44e6a1ce9c3645dfe0868e8fb636d0af404985ec60ea7d0ae4eded88174a7e931975f8ec658903efe2e97a0fe596038e3276e36f5a3604af3f36661fd106075e3e39d964bf6d99e8c3978d8e08094b53dd666cc87154ac43eac3469a12c5206d3dbad6cb3ccc260501da897018815a1eebb947b5198ecc65ef05323bf0f65721b1e70d5b f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\{097421CA-3E3E050A-5413DCD4-C5785A64} server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{097421CA-3E3E050A-5413DCD4-C5785A64}\ = 7cf23712ee4d36282f5636bfdfd979b8e01f60f9975b4e42167571dcdcb838deddf9c45843f97a18e339d25f454603f10a9bb385255f7c0667c0be22caedbf6859355b249823ba7d1ce4fb6ee5b78fe11688b1d294fa8f6236ed9fd7c6f1df53c6f2e1d2dc32f9d3dc72c755de7086d7d04e7e89a7eb4e9516c30f2ab6522e0b17723e9ba7c501b37c1da5b82ca017ba0e22a9bb0c650bbc529bf5fddc9b38fd5fd8467b4fda56fd71e41c81857f2ca6555e4007bc3e18a7fdc1e737516e30f7292e5409c30cd248044f43d66ab0b590e03eb45912808d0dab14cdc06bb452908370f25fac0636de6f3876db51ba789b5d7d7818273b6ea29614400d65f4209d8db8f42512a0834a85f3a3ed1d37c4dec287aabe0b666a7f5526bfdf1906c401dc307aa35bc5fa43a2b26d9a8bbccde4ebbf35269c9179b89f58f905a31c02c745de40f98e98e846a87f112678bf5f59b9b8e3a3a5d540b3f9255ce0ba3564207f23e6a2d03372e5656f90763f9fe679ff1c66fa301ceb076d5e34392363927a3ba3221d3578dca3b8c5dc7f44e6a1ce9c3645dfe0868e8fb636d0af404985ec60ea7d0ae4eded88174a7e931975f8ec658903efe2e97a0fe596038e3276e36f5a3604af3f36661fd106075e3e39d964bf6d99e8c3978d8e08094b53edb90fc87154ac43eac3469a12c5206d3dbad6cb3ccc260501da897018815a1eebb947b5198ecc65ef05323bf0f65721b1271a5b server.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{097421CA-3E3E050A-5413DCD4-C5785A64}\ = 7cf23712ee4d36282f5636bfdfd979b8e01f60f9975b4e42167571dcdcb838deddf9c45843f97a18e339d25f454603f10a9bb385255f7c0667c0be22cbedbf6859355b249823ba7d1ce4fb6ee5b78fe11688b1d294fa8f6236ed9fd7c6f1df53c6f2e1d2dc32f9d3dc72c755de7086d7d04e7e89a7eb4e9516c30f2ab6522e0b17723e9ba7c501b37c1da5b82ca017ba0e22a9bb0c650bbc529bf5fddc9b38fd5fd8467b4fda56fd71e41c81857f2ca6555e4007bc3e18a7fdc1e737516e30f7292e5409c30cd248044f43d66ab0b590e03eb45912808d0dab14cdc06bb452908370f25fac0636de6f3876db51ba789b5d7d7818273b6ea29614400d65f4209d8db8f42512a0834a85f3a3ed1d37c4dec287aabe0b666a7f5526bfdf1906c401dc307aa35bc5fa43a2b26d9a8bbccde4ebbf35269c9179b89f58f905a31c02c745de40f98e98e846a87f112678bf5f59b9b8e3a3a5d540b3f9255ce0ba3564207f23e6a2d03372e5656f90763f9fe679ff1c66fa301ceb076d5e34392363927a3ba3221d3578dca3b8c5dc7f44e6a1ce9c3645dfe0868e8fb636d0af404985ec60ea7d0ae4eded88174a7e931975f8ec658903efe2e97a0fe596038e3276e36f5a3604af3f36661fd106075e3e39d964bf6d99e8c3978d8e08094b53edb90fc87154ac43eac3469a12c5206d3dbad6cb3ccc260501da897018815a1eebb947b5198ecc65ef05323bf0f6572181da6485 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2416 2360 f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe 30 PID 2360 wrote to memory of 2416 2360 f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe 30 PID 2360 wrote to memory of 2416 2360 f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe 30 PID 2360 wrote to memory of 2416 2360 f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe 30 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31 PID 2416 wrote to memory of 2816 2416 server.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\server.exe"C:\Windows\server.exe" \melt "C:\Users\Admin\AppData\Local\Temp\f6b09f164d9dff2942d2977e10f0f121_JaffaCakes118.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2816
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
528B
MD56b09e3c8508a2c393bf3391b4ece0c38
SHA1f5c8ef817ee07685d6824a56d815846dd2a33711
SHA256d0432310c6e74a0f8ef859449c4ef3a986a11d3f35a93d79142f3de3f6fb9c88
SHA512aca63e45c5283f6e432798e6468e0c1a1bfdcd460101991202e64521cb1655daac5c50d48b8c5cd23329e071353d2aea0b29d6e2d194e652fa7b2f3929c1068d
-
Filesize
528B
MD5b0b8ac6daee22cc80c239af6edb5de1c
SHA1f4f2ba91a56399c4f79e4835270166723c107773
SHA256d44b5d3425d3633ca800f99b3404d7724df7a8895f408e4597b466a6dea5e3f0
SHA5126e31182b221cfeabb4af161230c218dba2f1a5935e4459688ab29665f651a8b1dae65216b7408471752f191bc57d75fb15e48ca0d68212ca356a592e88ba04ee
-
Filesize
253KB
MD5f6b09f164d9dff2942d2977e10f0f121
SHA1c7c78e6a15faeb4fc81dce878d629b3ccc0ca811
SHA256f3a6e5010278054ba42e8c388598096c3d6528cd3550c60b2687c2e4bf0522c3
SHA51245bc7dd718f4b1bbe2df3e6616b156eb661a40dfa34335a46f1f7f1cb396e9cb51a4970baa9c46387f02518fd5464168b9cb930bf6d2c67e186b79b620455f27