Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-01-2025 23:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_47b48343b0628587b3300abd4defc640.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_47b48343b0628587b3300abd4defc640.exe
-
Size
95KB
-
MD5
47b48343b0628587b3300abd4defc640
-
SHA1
c7fd78351355a75c2d63bd34fe57ab6ff2f5293d
-
SHA256
1942b61c074056239f6b3cd672a753a43dbec1641483a21cf029c4f2b548bcf9
-
SHA512
50c16288d6b6833e8dc2cc5b3cd509a21c27b7e93e7c00047883edd8a7b17d3c0a560cc1b4a6bd0fe7a1a835031f818ef0d0b1fea2dee9eea09bfda9f6d924da
-
SSDEEP
768:Ir06R0UrgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9I/:MR0jn3Pc0LCH9MtbvabUDzJYWu3B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2524 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 1272 JaffaCakes118_47b48343b0628587b3300abd4defc640.exe 1272 JaffaCakes118_47b48343b0628587b3300abd4defc640.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/1272-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1272-9-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1272-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1272-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1272-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1272-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-26-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral1/memory/1272-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-60-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-71-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2524-587-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Internet Explorer\pdm.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\weather.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libfile_keystore_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msaddsr.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\mlib_image.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatialaudio_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\journal.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\CsiSoap.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdfmap.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\glass.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jpeg.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\AUTHZAX.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdcp_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\awt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dt_shmem.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Mail\wab.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\sbdrop.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_47b48343b0628587b3300abd4defc640.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 2524 WaterMark.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe 1276 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2524 WaterMark.exe Token: SeDebugPrivilege 1276 svchost.exe Token: SeDebugPrivilege 2524 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1272 JaffaCakes118_47b48343b0628587b3300abd4defc640.exe 2524 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1272 wrote to memory of 2524 1272 JaffaCakes118_47b48343b0628587b3300abd4defc640.exe 30 PID 1272 wrote to memory of 2524 1272 JaffaCakes118_47b48343b0628587b3300abd4defc640.exe 30 PID 1272 wrote to memory of 2524 1272 JaffaCakes118_47b48343b0628587b3300abd4defc640.exe 30 PID 1272 wrote to memory of 2524 1272 JaffaCakes118_47b48343b0628587b3300abd4defc640.exe 30 PID 2524 wrote to memory of 2300 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2300 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2300 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2300 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2300 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2300 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2300 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2300 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2300 2524 WaterMark.exe 31 PID 2524 wrote to memory of 2300 2524 WaterMark.exe 31 PID 2524 wrote to memory of 1276 2524 WaterMark.exe 32 PID 2524 wrote to memory of 1276 2524 WaterMark.exe 32 PID 2524 wrote to memory of 1276 2524 WaterMark.exe 32 PID 2524 wrote to memory of 1276 2524 WaterMark.exe 32 PID 2524 wrote to memory of 1276 2524 WaterMark.exe 32 PID 2524 wrote to memory of 1276 2524 WaterMark.exe 32 PID 2524 wrote to memory of 1276 2524 WaterMark.exe 32 PID 2524 wrote to memory of 1276 2524 WaterMark.exe 32 PID 2524 wrote to memory of 1276 2524 WaterMark.exe 32 PID 2524 wrote to memory of 1276 2524 WaterMark.exe 32 PID 1276 wrote to memory of 256 1276 svchost.exe 1 PID 1276 wrote to memory of 256 1276 svchost.exe 1 PID 1276 wrote to memory of 256 1276 svchost.exe 1 PID 1276 wrote to memory of 256 1276 svchost.exe 1 PID 1276 wrote to memory of 256 1276 svchost.exe 1 PID 1276 wrote to memory of 332 1276 svchost.exe 2 PID 1276 wrote to memory of 332 1276 svchost.exe 2 PID 1276 wrote to memory of 332 1276 svchost.exe 2 PID 1276 wrote to memory of 332 1276 svchost.exe 2 PID 1276 wrote to memory of 332 1276 svchost.exe 2 PID 1276 wrote to memory of 384 1276 svchost.exe 3 PID 1276 wrote to memory of 384 1276 svchost.exe 3 PID 1276 wrote to memory of 384 1276 svchost.exe 3 PID 1276 wrote to memory of 384 1276 svchost.exe 3 PID 1276 wrote to memory of 384 1276 svchost.exe 3 PID 1276 wrote to memory of 396 1276 svchost.exe 4 PID 1276 wrote to memory of 396 1276 svchost.exe 4 PID 1276 wrote to memory of 396 1276 svchost.exe 4 PID 1276 wrote to memory of 396 1276 svchost.exe 4 PID 1276 wrote to memory of 396 1276 svchost.exe 4 PID 1276 wrote to memory of 432 1276 svchost.exe 5 PID 1276 wrote to memory of 432 1276 svchost.exe 5 PID 1276 wrote to memory of 432 1276 svchost.exe 5 PID 1276 wrote to memory of 432 1276 svchost.exe 5 PID 1276 wrote to memory of 432 1276 svchost.exe 5 PID 1276 wrote to memory of 476 1276 svchost.exe 6 PID 1276 wrote to memory of 476 1276 svchost.exe 6 PID 1276 wrote to memory of 476 1276 svchost.exe 6 PID 1276 wrote to memory of 476 1276 svchost.exe 6 PID 1276 wrote to memory of 476 1276 svchost.exe 6 PID 1276 wrote to memory of 492 1276 svchost.exe 7 PID 1276 wrote to memory of 492 1276 svchost.exe 7 PID 1276 wrote to memory of 492 1276 svchost.exe 7 PID 1276 wrote to memory of 492 1276 svchost.exe 7 PID 1276 wrote to memory of 492 1276 svchost.exe 7 PID 1276 wrote to memory of 500 1276 svchost.exe 8 PID 1276 wrote to memory of 500 1276 svchost.exe 8 PID 1276 wrote to memory of 500 1276 svchost.exe 8 PID 1276 wrote to memory of 500 1276 svchost.exe 8 PID 1276 wrote to memory of 500 1276 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2036
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1572
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1160
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1344
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:984
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:280
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:324
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1068
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1108
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:864
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2348
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2244
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47b48343b0628587b3300abd4defc640.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_47b48343b0628587b3300abd4defc640.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize204KB
MD5956ee2e6788f8e11fc91a3ade84ad559
SHA1e5787b413a7828b7d51740cd56ddcb84d5082fcb
SHA256234d520735ba5b6b3f083bfc641ac991fca5b84280ef2901c0b9b62976348712
SHA5123e9043a44c1da05d9b100b1210905ae2d3137bd69b828e647f06cff50dcb670ba2fe5f5fa4a5a38572d325f679765e4381c86c9a2ebd899b992f19ac379730c3
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize200KB
MD5e71f9920f725c90f405afdfb90069ecf
SHA13314513a4167bee3857abdc31e7b9043d749156e
SHA256ec769a07f92a6355ca08d160c74007d69414dd14b6d3101c34a9e02689011d1c
SHA512e2f54e7a7cb213114d128936b85902a8ddf66ac57a53030442948649d9f6d61ff840a468fa53258da129b603c6b0e38d67aadc61d1d8472965d870111a26cbee
-
Filesize
95KB
MD547b48343b0628587b3300abd4defc640
SHA1c7fd78351355a75c2d63bd34fe57ab6ff2f5293d
SHA2561942b61c074056239f6b3cd672a753a43dbec1641483a21cf029c4f2b548bcf9
SHA51250c16288d6b6833e8dc2cc5b3cd509a21c27b7e93e7c00047883edd8a7b17d3c0a560cc1b4a6bd0fe7a1a835031f818ef0d0b1fea2dee9eea09bfda9f6d924da