Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-01-2025 18:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe
-
Size
95KB
-
MD5
944e421879c77c4e4dcb5315b6f0a842
-
SHA1
169325f300d723875ee3942378d94640d2ffbfc8
-
SHA256
1c6a27e52432237ed3740d04e995adf70b71d31cfb0ef516ed18256fa5640b3a
-
SHA512
f48811c4791fbfde033af87c3546aa46593fd3a7aeeb65c6567ae09298bd6b14c6898a9242f2cb0958691bd32e294dfab664d321ff7c950e06932bf9403e6863
-
SSDEEP
768:+06R0UrgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9ICW:MR0jn3Pc0LCH9MtbvabUDzJYWu3B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2764 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2252 JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe 2252 JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2252-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2252-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2252-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2252-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2252-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2252-5-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2252-4-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2764-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2764-75-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2764-591-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\micaut.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\ChkrRes.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\libmemory_keystore_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdarem.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libheadphone_channel_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jawt.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\VISSHE.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\d3dcompiler_47.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12Resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\awt.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpRTP.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_rist_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_mmx_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe svchost.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MsMpLics.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\MSPVWCTL.DLL svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcf.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\hprof.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jsoundds.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadco.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jli.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\hxdsui.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2764 WaterMark.exe 2764 WaterMark.exe 2764 WaterMark.exe 2764 WaterMark.exe 2764 WaterMark.exe 2764 WaterMark.exe 2764 WaterMark.exe 2764 WaterMark.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe 1028 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2764 WaterMark.exe Token: SeDebugPrivilege 1028 svchost.exe Token: SeDebugPrivilege 2764 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2252 JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe 2764 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2764 2252 JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe 30 PID 2252 wrote to memory of 2764 2252 JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe 30 PID 2252 wrote to memory of 2764 2252 JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe 30 PID 2252 wrote to memory of 2764 2252 JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe 30 PID 2764 wrote to memory of 2824 2764 WaterMark.exe 31 PID 2764 wrote to memory of 2824 2764 WaterMark.exe 31 PID 2764 wrote to memory of 2824 2764 WaterMark.exe 31 PID 2764 wrote to memory of 2824 2764 WaterMark.exe 31 PID 2764 wrote to memory of 2824 2764 WaterMark.exe 31 PID 2764 wrote to memory of 2824 2764 WaterMark.exe 31 PID 2764 wrote to memory of 2824 2764 WaterMark.exe 31 PID 2764 wrote to memory of 2824 2764 WaterMark.exe 31 PID 2764 wrote to memory of 2824 2764 WaterMark.exe 31 PID 2764 wrote to memory of 2824 2764 WaterMark.exe 31 PID 2764 wrote to memory of 1028 2764 WaterMark.exe 32 PID 2764 wrote to memory of 1028 2764 WaterMark.exe 32 PID 2764 wrote to memory of 1028 2764 WaterMark.exe 32 PID 2764 wrote to memory of 1028 2764 WaterMark.exe 32 PID 2764 wrote to memory of 1028 2764 WaterMark.exe 32 PID 2764 wrote to memory of 1028 2764 WaterMark.exe 32 PID 2764 wrote to memory of 1028 2764 WaterMark.exe 32 PID 2764 wrote to memory of 1028 2764 WaterMark.exe 32 PID 2764 wrote to memory of 1028 2764 WaterMark.exe 32 PID 2764 wrote to memory of 1028 2764 WaterMark.exe 32 PID 1028 wrote to memory of 256 1028 svchost.exe 1 PID 1028 wrote to memory of 256 1028 svchost.exe 1 PID 1028 wrote to memory of 256 1028 svchost.exe 1 PID 1028 wrote to memory of 256 1028 svchost.exe 1 PID 1028 wrote to memory of 256 1028 svchost.exe 1 PID 1028 wrote to memory of 336 1028 svchost.exe 2 PID 1028 wrote to memory of 336 1028 svchost.exe 2 PID 1028 wrote to memory of 336 1028 svchost.exe 2 PID 1028 wrote to memory of 336 1028 svchost.exe 2 PID 1028 wrote to memory of 336 1028 svchost.exe 2 PID 1028 wrote to memory of 384 1028 svchost.exe 3 PID 1028 wrote to memory of 384 1028 svchost.exe 3 PID 1028 wrote to memory of 384 1028 svchost.exe 3 PID 1028 wrote to memory of 384 1028 svchost.exe 3 PID 1028 wrote to memory of 384 1028 svchost.exe 3 PID 1028 wrote to memory of 392 1028 svchost.exe 4 PID 1028 wrote to memory of 392 1028 svchost.exe 4 PID 1028 wrote to memory of 392 1028 svchost.exe 4 PID 1028 wrote to memory of 392 1028 svchost.exe 4 PID 1028 wrote to memory of 392 1028 svchost.exe 4 PID 1028 wrote to memory of 432 1028 svchost.exe 5 PID 1028 wrote to memory of 432 1028 svchost.exe 5 PID 1028 wrote to memory of 432 1028 svchost.exe 5 PID 1028 wrote to memory of 432 1028 svchost.exe 5 PID 1028 wrote to memory of 432 1028 svchost.exe 5 PID 1028 wrote to memory of 480 1028 svchost.exe 6 PID 1028 wrote to memory of 480 1028 svchost.exe 6 PID 1028 wrote to memory of 480 1028 svchost.exe 6 PID 1028 wrote to memory of 480 1028 svchost.exe 6 PID 1028 wrote to memory of 480 1028 svchost.exe 6 PID 1028 wrote to memory of 488 1028 svchost.exe 7 PID 1028 wrote to memory of 488 1028 svchost.exe 7 PID 1028 wrote to memory of 488 1028 svchost.exe 7 PID 1028 wrote to memory of 488 1028 svchost.exe 7 PID 1028 wrote to memory of 488 1028 svchost.exe 7 PID 1028 wrote to memory of 496 1028 svchost.exe 8 PID 1028 wrote to memory of 496 1028 svchost.exe 8 PID 1028 wrote to memory of 496 1028 svchost.exe 8 PID 1028 wrote to memory of 496 1028 svchost.exe 8 PID 1028 wrote to memory of 496 1028 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1244
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1488
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:848
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2144
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:972
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:284
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:348
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1072
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1108
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1092
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2892
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2088
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_944e421879c77c4e4dcb5315b6f0a842.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2824
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5944e421879c77c4e4dcb5315b6f0a842
SHA1169325f300d723875ee3942378d94640d2ffbfc8
SHA2561c6a27e52432237ed3740d04e995adf70b71d31cfb0ef516ed18256fa5640b3a
SHA512f48811c4791fbfde033af87c3546aa46593fd3a7aeeb65c6567ae09298bd6b14c6898a9242f2cb0958691bd32e294dfab664d321ff7c950e06932bf9403e6863
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize204KB
MD5d5c2090b90d397c0b0857719ed396142
SHA1ff4ba327c71c5f187d708c0a99746b71f670809b
SHA256c0833ffb5136a7ca883bb72bf82de2d30ca5208b234c53a99f5423ca97281f6b
SHA51204a225ef1b7124fc97e508e2513c4ded31a5bcc4f87bda8a54e560c621b885c44531650b0e19ff37d7af61336e30465351f9fd3015964feeaf110ca96a934ce6
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize200KB
MD5091fd62cacd85e9b71f0e27a5fd5900d
SHA1240476550420109dcbfea486a97ac5422732a7b6
SHA2564fc53f37e06a7072b4fb55a2a7715b3b5716ed5507f05b90f87a1957f2fce22a
SHA512dc02c93abb704c98529571720af83c69f7680f7618ea4c8cc80263d10140de539e3376bfd9b04e4c270e725816cfe94f6fc8fc67e185a1ffe2adb1f6b1e36f2b