Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-01-2025 04:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe
-
Size
149KB
-
MD5
47f2734e9f3e75c039c7729efdc89387
-
SHA1
7e8218b099578bd74a550a3bcec0bd4a022295a3
-
SHA256
19ae01042f609c745a0524c789f3a07e452a79061267786539ef6ec575d234f4
-
SHA512
88165b073d01bdf49de6b14778a31281f3f0d900233599fab09df601b48c408260802aebabf2ff61007ac45f1e8155eb5e8a16038747b9c2e0cb799a711720f0
-
SSDEEP
3072:SR2xn3k0CdM1vabyzJYWqdaxfa04a3c3KQ3n/:SR2J0LS6VdaT3c5n/
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2524 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2384 JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe 2384 JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2384-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-27-0x0000000000400000-0x0000000000431000-memory.dmp upx behavioral1/memory/2384-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2384-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-71-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-605-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxAE2A.tmp JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_bridge_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEODDBS.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_PDF.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_XPS.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\decora-sse.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaosp.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozwer.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdmo_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\hxdsui.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jsound.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudiobargraph_a_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\fontmanager.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\libxml2.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\installer.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozavcodec.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\MCESidebarCtrl.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jfxmedia.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_record_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\journal.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libvod_rtsp_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe 2832 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2524 WaterMark.exe Token: SeDebugPrivilege 2832 svchost.exe Token: SeDebugPrivilege 2524 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2384 JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe 2524 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2524 2384 JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe 30 PID 2384 wrote to memory of 2524 2384 JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe 30 PID 2384 wrote to memory of 2524 2384 JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe 30 PID 2384 wrote to memory of 2524 2384 JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe 30 PID 2524 wrote to memory of 2880 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2880 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2880 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2880 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2880 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2880 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2880 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2880 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2880 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2880 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2832 2524 WaterMark.exe 32 PID 2524 wrote to memory of 2832 2524 WaterMark.exe 32 PID 2524 wrote to memory of 2832 2524 WaterMark.exe 32 PID 2524 wrote to memory of 2832 2524 WaterMark.exe 32 PID 2524 wrote to memory of 2832 2524 WaterMark.exe 32 PID 2524 wrote to memory of 2832 2524 WaterMark.exe 32 PID 2524 wrote to memory of 2832 2524 WaterMark.exe 32 PID 2524 wrote to memory of 2832 2524 WaterMark.exe 32 PID 2524 wrote to memory of 2832 2524 WaterMark.exe 32 PID 2524 wrote to memory of 2832 2524 WaterMark.exe 32 PID 2832 wrote to memory of 256 2832 svchost.exe 1 PID 2832 wrote to memory of 256 2832 svchost.exe 1 PID 2832 wrote to memory of 256 2832 svchost.exe 1 PID 2832 wrote to memory of 256 2832 svchost.exe 1 PID 2832 wrote to memory of 256 2832 svchost.exe 1 PID 2832 wrote to memory of 332 2832 svchost.exe 2 PID 2832 wrote to memory of 332 2832 svchost.exe 2 PID 2832 wrote to memory of 332 2832 svchost.exe 2 PID 2832 wrote to memory of 332 2832 svchost.exe 2 PID 2832 wrote to memory of 332 2832 svchost.exe 2 PID 2832 wrote to memory of 384 2832 svchost.exe 3 PID 2832 wrote to memory of 384 2832 svchost.exe 3 PID 2832 wrote to memory of 384 2832 svchost.exe 3 PID 2832 wrote to memory of 384 2832 svchost.exe 3 PID 2832 wrote to memory of 384 2832 svchost.exe 3 PID 2832 wrote to memory of 392 2832 svchost.exe 4 PID 2832 wrote to memory of 392 2832 svchost.exe 4 PID 2832 wrote to memory of 392 2832 svchost.exe 4 PID 2832 wrote to memory of 392 2832 svchost.exe 4 PID 2832 wrote to memory of 392 2832 svchost.exe 4 PID 2832 wrote to memory of 432 2832 svchost.exe 5 PID 2832 wrote to memory of 432 2832 svchost.exe 5 PID 2832 wrote to memory of 432 2832 svchost.exe 5 PID 2832 wrote to memory of 432 2832 svchost.exe 5 PID 2832 wrote to memory of 432 2832 svchost.exe 5 PID 2832 wrote to memory of 476 2832 svchost.exe 6 PID 2832 wrote to memory of 476 2832 svchost.exe 6 PID 2832 wrote to memory of 476 2832 svchost.exe 6 PID 2832 wrote to memory of 476 2832 svchost.exe 6 PID 2832 wrote to memory of 476 2832 svchost.exe 6 PID 2832 wrote to memory of 492 2832 svchost.exe 7 PID 2832 wrote to memory of 492 2832 svchost.exe 7 PID 2832 wrote to memory of 492 2832 svchost.exe 7 PID 2832 wrote to memory of 492 2832 svchost.exe 7 PID 2832 wrote to memory of 492 2832 svchost.exe 7 PID 2832 wrote to memory of 500 2832 svchost.exe 8 PID 2832 wrote to memory of 500 2832 svchost.exe 8 PID 2832 wrote to memory of 500 2832 svchost.exe 8 PID 2832 wrote to memory of 500 2832 svchost.exe 8 PID 2832 wrote to memory of 500 2832 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1388
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:396
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:668
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:760
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2556
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:960
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:272
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:352
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1064
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1104
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1604
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1184
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2356
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47f2734e9f3e75c039c7729efdc89387.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize312KB
MD5dad0e301b39c835612e7f10e2c980109
SHA135c9e415683ab657f8744d8c5f4c403d501d510b
SHA256f742ef6972809c389fc43d7ee14158bf43d643a991efbc3182d463fe2a5d9f01
SHA512463afc82e6176c45b8ab5e039876b7e75d286dea77b9ab1ad9ef34b73c73920181365b6570139e384b11fcd38ab11b4e79c3d705690c298eaeacb5e95ca96ca5
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize309KB
MD5ad5c2be99c1735516f5374e74333bd4f
SHA18ebffe2c1779c5912323755ec9d0600761c67508
SHA25694e739d86087e53d3f8c4bfa48b8ea384b13066cc52e34993f99bd45f7fba992
SHA5129ca677a1164a29bbcd511271ddf9403361489b0402ecc36c7a5f3141962eb38e064dc3884701be7cc8d7d7a8d818852adc5457234e3fa756a26ca863a9e5a673
-
Filesize
149KB
MD547f2734e9f3e75c039c7729efdc89387
SHA17e8218b099578bd74a550a3bcec0bd4a022295a3
SHA25619ae01042f609c745a0524c789f3a07e452a79061267786539ef6ec575d234f4
SHA51288165b073d01bdf49de6b14778a31281f3f0d900233599fab09df601b48c408260802aebabf2ff61007ac45f1e8155eb5e8a16038747b9c2e0cb799a711720f0