Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 17:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ff9a759b1a15d61783762a9c3595a0983972d5e8117b4ad30239ad40f43dd19N.dll
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
2ff9a759b1a15d61783762a9c3595a0983972d5e8117b4ad30239ad40f43dd19N.dll
-
Size
156KB
-
MD5
cbaea82b71660159af6de5a530d04e20
-
SHA1
f2d1de3d319fa613d6579c3a3ffdc08dfe2d0d8f
-
SHA256
2ff9a759b1a15d61783762a9c3595a0983972d5e8117b4ad30239ad40f43dd19
-
SHA512
4cf29c705eb7b9dec6baad65330e6f29709eb8d2734833689cb0562c40ac2722386c8e98703203677d4df3acb26a76db40cdc3c197d29d74397f27057ac725fa
-
SSDEEP
3072:ln4cV8gf2u41Z5tKlw6XZufRdL+eONORnKW12hB7:B4y8gOl2puiORnj12hB7
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 1524 rundll32mgr.exe 1996 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2340 rundll32.exe 2340 rundll32.exe 1524 rundll32mgr.exe 1524 rundll32mgr.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/1524-11-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1996-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1996-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1996-63-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1996-579-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MAPISHELL.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdarem.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdatl3.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmotiondetect_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_dummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\JavaAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpSvc.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\jnwppr.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html svchost.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libt140_plugin.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpOAV.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\jsprofilerui.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\hprof.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1996 WaterMark.exe 1996 WaterMark.exe 1996 WaterMark.exe 1996 WaterMark.exe 1996 WaterMark.exe 1996 WaterMark.exe 1996 WaterMark.exe 1996 WaterMark.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe 2052 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1996 WaterMark.exe Token: SeDebugPrivilege 2052 svchost.exe Token: SeDebugPrivilege 1996 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2340 2668 rundll32.exe 30 PID 2668 wrote to memory of 2340 2668 rundll32.exe 30 PID 2668 wrote to memory of 2340 2668 rundll32.exe 30 PID 2668 wrote to memory of 2340 2668 rundll32.exe 30 PID 2668 wrote to memory of 2340 2668 rundll32.exe 30 PID 2668 wrote to memory of 2340 2668 rundll32.exe 30 PID 2668 wrote to memory of 2340 2668 rundll32.exe 30 PID 2340 wrote to memory of 1524 2340 rundll32.exe 31 PID 2340 wrote to memory of 1524 2340 rundll32.exe 31 PID 2340 wrote to memory of 1524 2340 rundll32.exe 31 PID 2340 wrote to memory of 1524 2340 rundll32.exe 31 PID 1524 wrote to memory of 1996 1524 rundll32mgr.exe 32 PID 1524 wrote to memory of 1996 1524 rundll32mgr.exe 32 PID 1524 wrote to memory of 1996 1524 rundll32mgr.exe 32 PID 1524 wrote to memory of 1996 1524 rundll32mgr.exe 32 PID 1996 wrote to memory of 2260 1996 WaterMark.exe 33 PID 1996 wrote to memory of 2260 1996 WaterMark.exe 33 PID 1996 wrote to memory of 2260 1996 WaterMark.exe 33 PID 1996 wrote to memory of 2260 1996 WaterMark.exe 33 PID 1996 wrote to memory of 2260 1996 WaterMark.exe 33 PID 1996 wrote to memory of 2260 1996 WaterMark.exe 33 PID 1996 wrote to memory of 2260 1996 WaterMark.exe 33 PID 1996 wrote to memory of 2260 1996 WaterMark.exe 33 PID 1996 wrote to memory of 2260 1996 WaterMark.exe 33 PID 1996 wrote to memory of 2260 1996 WaterMark.exe 33 PID 1996 wrote to memory of 2052 1996 WaterMark.exe 34 PID 1996 wrote to memory of 2052 1996 WaterMark.exe 34 PID 1996 wrote to memory of 2052 1996 WaterMark.exe 34 PID 1996 wrote to memory of 2052 1996 WaterMark.exe 34 PID 1996 wrote to memory of 2052 1996 WaterMark.exe 34 PID 1996 wrote to memory of 2052 1996 WaterMark.exe 34 PID 1996 wrote to memory of 2052 1996 WaterMark.exe 34 PID 1996 wrote to memory of 2052 1996 WaterMark.exe 34 PID 1996 wrote to memory of 2052 1996 WaterMark.exe 34 PID 1996 wrote to memory of 2052 1996 WaterMark.exe 34 PID 2052 wrote to memory of 256 2052 svchost.exe 1 PID 2052 wrote to memory of 256 2052 svchost.exe 1 PID 2052 wrote to memory of 256 2052 svchost.exe 1 PID 2052 wrote to memory of 256 2052 svchost.exe 1 PID 2052 wrote to memory of 256 2052 svchost.exe 1 PID 2052 wrote to memory of 332 2052 svchost.exe 2 PID 2052 wrote to memory of 332 2052 svchost.exe 2 PID 2052 wrote to memory of 332 2052 svchost.exe 2 PID 2052 wrote to memory of 332 2052 svchost.exe 2 PID 2052 wrote to memory of 332 2052 svchost.exe 2 PID 2052 wrote to memory of 380 2052 svchost.exe 3 PID 2052 wrote to memory of 380 2052 svchost.exe 3 PID 2052 wrote to memory of 380 2052 svchost.exe 3 PID 2052 wrote to memory of 380 2052 svchost.exe 3 PID 2052 wrote to memory of 380 2052 svchost.exe 3 PID 2052 wrote to memory of 392 2052 svchost.exe 4 PID 2052 wrote to memory of 392 2052 svchost.exe 4 PID 2052 wrote to memory of 392 2052 svchost.exe 4 PID 2052 wrote to memory of 392 2052 svchost.exe 4 PID 2052 wrote to memory of 392 2052 svchost.exe 4 PID 2052 wrote to memory of 428 2052 svchost.exe 5 PID 2052 wrote to memory of 428 2052 svchost.exe 5 PID 2052 wrote to memory of 428 2052 svchost.exe 5 PID 2052 wrote to memory of 428 2052 svchost.exe 5 PID 2052 wrote to memory of 428 2052 svchost.exe 5 PID 2052 wrote to memory of 472 2052 svchost.exe 6 PID 2052 wrote to memory of 472 2052 svchost.exe 6 PID 2052 wrote to memory of 472 2052 svchost.exe 6 PID 2052 wrote to memory of 472 2052 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1352
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:268
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:748
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1176
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:840
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:108
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1016
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1052
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1120
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1604
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:3040
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2560
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ff9a759b1a15d61783762a9c3595a0983972d5e8117b4ad30239ad40f43dd19N.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ff9a759b1a15d61783762a9c3595a0983972d5e8117b4ad30239ad40f43dd19N.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize144KB
MD5e294f5976f455d75120e531986af945c
SHA14d18a11c05da2e468884fbc210203dd6ccecba58
SHA2569b605d2c59c8c8bc1c1708fc0a943e808930a9567f80e12bd1ec5bafdb093780
SHA512fcc4b70d575ca2382a2f2a0d0cd1262aa6e206f8a142d1a97614f8194fc05bb6bf2fdf00351403bef7601bd76964989e0eed356fe25a7f9f5226601e68d58cfe
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize140KB
MD53f389a3a4634137b280dce01a24c39a7
SHA1214fbdf7597596c7a40a87b9b435ed7840b87781
SHA25692bf0c554d28ac6e20ab116a13260eaae87c763a76fee9559aebd2e422930d38
SHA512a83f67a174f79e43b18f6ab16fc4d654fbe026a4eca69f57a1fd89a340155ec9a1fb8c58671c14b3651564d8f50d7f509aa434e7bdc7fdbd2096068b00c3fb39
-
Filesize
65KB
MD5a9ea94ee4a3bb43d4057823b2072dc54
SHA194ade3c34ec08613daba8a1240586c24f8169794
SHA2567edbb67a880d90e53ec7949c4907f4ccf5596899b98ed8651b01a485a7b06789
SHA5120ae24a452c474a0b67eb17ceb78eabc46aad7f04a249d526cbd1bf25ccc94016133ee6cdd1cf342fa3c8dbff60372d18df56137a6c0303bbaee07f005f930ab5