Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 20:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f599abb1bd76636cd689728e6e40b7cc_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
General
-
Target
f599abb1bd76636cd689728e6e40b7cc_JaffaCakes118.dll
-
Size
200KB
-
MD5
f599abb1bd76636cd689728e6e40b7cc
-
SHA1
c842f02dba8e6ccb2d2e5daa6cb736ad4b76d9b9
-
SHA256
17338a454f7baf5f73b7ff7a65e322e328f0dc192b3de8e50d9a0205fc8cd57f
-
SHA512
cd325d43649cf4fb575d503b2edd1c47f56bbf6103ea186374680dd1d085f6947a9080599cce6a6e9627db9d452447ad63f4f080423e0672d3504b2dd2f0e72e
-
SSDEEP
3072:DpNFkmhDDo7QFDE5ICjmYq8Uh+cjTm9KpZQqekhwrjm2IHd/2pzl:ltAbJq8UHjTm9KYSwW1ep
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\ecofitgo\\mfgvevnl.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" eneqgxpr.exe -
Modifies security service 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" eneqgxpr.exe -
Ramnit family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eneqgxpr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eneqgxpr.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mfgvevnl.exe svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mfgvevnl.exe svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 1784 qXUiUF3 2492 qXUiUF3 2928 eneqgxpr.exe 2004 eneqgxpr.exe 1036 eneqgxpr.exe 2076 eneqgxpr.exe -
Loads dropped DLL 6 IoCs
pid Process 2508 rundll32.exe 1784 qXUiUF3 2492 qXUiUF3 2928 eneqgxpr.exe 1352 cmd.exe 1036 eneqgxpr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" eneqgxpr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eneqgxpr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MfgVevnl = "C:\\Users\\Admin\\AppData\\Local\\ecofitgo\\mfgvevnl.exe" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eneqgxpr.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1784 set thread context of 2492 1784 qXUiUF3 32 PID 2928 set thread context of 2004 2928 eneqgxpr.exe 36 PID 1036 set thread context of 2076 1036 eneqgxpr.exe 40 -
resource yara_rule behavioral1/memory/2492-21-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2492-25-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2492-19-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2492-17-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2492-31-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2492-30-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2492-29-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2492-43-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2492-42-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2492-69-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2492-102-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2004-122-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2004-129-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2076-150-0x0000000000400000-0x0000000000436000-memory.dmp upx behavioral1/memory/2076-154-0x0000000000400000-0x0000000000436000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eneqgxpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qXUiUF3 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qXUiUF3 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eneqgxpr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eneqgxpr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2628 svchost.exe 2628 svchost.exe 2076 eneqgxpr.exe 2076 eneqgxpr.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe 2628 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeSecurityPrivilege 2492 qXUiUF3 Token: SeDebugPrivilege 2492 qXUiUF3 Token: SeSecurityPrivilege 2848 svchost.exe Token: SeSecurityPrivilege 2628 svchost.exe Token: SeDebugPrivilege 2628 svchost.exe Token: SeDebugPrivilege 2628 svchost.exe Token: SeRestorePrivilege 2628 svchost.exe Token: SeBackupPrivilege 2628 svchost.exe Token: SeDebugPrivilege 2628 svchost.exe Token: SeSecurityPrivilege 2004 eneqgxpr.exe Token: SeSecurityPrivilege 2076 eneqgxpr.exe Token: SeLoadDriverPrivilege 2076 eneqgxpr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1784 qXUiUF3 2928 eneqgxpr.exe 1036 eneqgxpr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 1736 wrote to memory of 2508 1736 rundll32.exe 30 PID 2508 wrote to memory of 1784 2508 rundll32.exe 31 PID 2508 wrote to memory of 1784 2508 rundll32.exe 31 PID 2508 wrote to memory of 1784 2508 rundll32.exe 31 PID 2508 wrote to memory of 1784 2508 rundll32.exe 31 PID 1784 wrote to memory of 2492 1784 qXUiUF3 32 PID 1784 wrote to memory of 2492 1784 qXUiUF3 32 PID 1784 wrote to memory of 2492 1784 qXUiUF3 32 PID 1784 wrote to memory of 2492 1784 qXUiUF3 32 PID 1784 wrote to memory of 2492 1784 qXUiUF3 32 PID 1784 wrote to memory of 2492 1784 qXUiUF3 32 PID 1784 wrote to memory of 2492 1784 qXUiUF3 32 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2848 2492 qXUiUF3 33 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2628 2492 qXUiUF3 34 PID 2492 wrote to memory of 2928 2492 qXUiUF3 35 PID 2492 wrote to memory of 2928 2492 qXUiUF3 35 PID 2492 wrote to memory of 2928 2492 qXUiUF3 35 PID 2492 wrote to memory of 2928 2492 qXUiUF3 35 PID 2928 wrote to memory of 2004 2928 eneqgxpr.exe 36 PID 2928 wrote to memory of 2004 2928 eneqgxpr.exe 36 PID 2928 wrote to memory of 2004 2928 eneqgxpr.exe 36 PID 2928 wrote to memory of 2004 2928 eneqgxpr.exe 36 PID 2928 wrote to memory of 2004 2928 eneqgxpr.exe 36 PID 2928 wrote to memory of 2004 2928 eneqgxpr.exe 36 PID 2928 wrote to memory of 2004 2928 eneqgxpr.exe 36 PID 2004 wrote to memory of 1352 2004 eneqgxpr.exe 37 PID 2004 wrote to memory of 1352 2004 eneqgxpr.exe 37 PID 2004 wrote to memory of 1352 2004 eneqgxpr.exe 37 PID 2004 wrote to memory of 1352 2004 eneqgxpr.exe 37 PID 1352 wrote to memory of 1036 1352 cmd.exe 39 PID 1352 wrote to memory of 1036 1352 cmd.exe 39 PID 1352 wrote to memory of 1036 1352 cmd.exe 39 PID 1352 wrote to memory of 1036 1352 cmd.exe 39 PID 1036 wrote to memory of 2076 1036 eneqgxpr.exe 40 PID 1036 wrote to memory of 2076 1036 eneqgxpr.exe 40 PID 1036 wrote to memory of 2076 1036 eneqgxpr.exe 40 PID 1036 wrote to memory of 2076 1036 eneqgxpr.exe 40 PID 1036 wrote to memory of 2076 1036 eneqgxpr.exe 40 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eneqgxpr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f599abb1bd76636cd689728e6e40b7cc_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f599abb1bd76636cd689728e6e40b7cc_JaffaCakes118.dll,#12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\qXUiUF3"qXUiUF3"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\qXUiUF3"qXUiUF3"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\eneqgxpr.exe"C:\Users\Admin\AppData\Local\Temp\eneqgxpr.exe" elevate5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\eneqgxpr.exe"C:\Users\Admin\AppData\Local\Temp\eneqgxpr.exe" elevate6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\eneqgxpr.exe"" admin7⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\eneqgxpr.exe"C:\Users\Admin\AppData\Local\Temp\eneqgxpr.exe" admin8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\eneqgxpr.exe"C:\Users\Admin\AppData\Local\Temp\eneqgxpr.exe" admin9⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2076
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD509257769efa80e8c04db7a53d929248a
SHA1fefcdd255ed8e471c0546e070a91c157f8e6e18c
SHA256a4dc97604a95df6a14046ae10b957fc4e29ec9d475092ff28e9cd0487156add9
SHA5128b8f4ffeaeebee0bd41a2f99b2bc1c5d47cbae06a08adf7914c88b4e996cc30d8bdba0fea336631ce54bab4fe53a3610118fd99922bc6674fc7f3cba80bad7c3