Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe
-
Size
184KB
-
MD5
b394729f1aa0b1ea05b753cf7a0bd1f8
-
SHA1
51c6ca4451baa287e7bdf4b426e355d2175ddb28
-
SHA256
2602dfe432e5021c0654f015c2c30c4f2790872343710245c2005c1b77337be6
-
SHA512
5f1b534b35aad584cb5f3277a7ea23fc0835713db91882daf1128081f3ce9ee196c910b59711214cdb661814c692dcc6ec4107da263659603bb8d3cbd66d333d
-
SSDEEP
768:d06R0UKzOgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9Y:7R0vxn3Pc0LCH9MtbvabUDzJYWu3B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 548 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 1896 JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe 1896 JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/1896-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1896-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1896-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1896-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1896-4-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral1/memory/1896-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1896-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1896-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/548-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/548-74-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/548-595-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\libvlc.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IO.Log.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcf.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Windows.Presentation.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\msvcp140.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\journal.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_realrtsp_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\nio.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll svchost.exe File opened for modification C:\Program Files\DVD Maker\PipeTran.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\pdm.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\net.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\JdbcOdbc.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado15.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mraut.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\jnwppr.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pe.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\penchs.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\NBMapTIP.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 548 WaterMark.exe 548 WaterMark.exe 548 WaterMark.exe 548 WaterMark.exe 548 WaterMark.exe 548 WaterMark.exe 548 WaterMark.exe 548 WaterMark.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe 2408 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 548 WaterMark.exe Token: SeDebugPrivilege 2408 svchost.exe Token: SeDebugPrivilege 548 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1896 JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe 548 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1896 wrote to memory of 548 1896 JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe 30 PID 1896 wrote to memory of 548 1896 JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe 30 PID 1896 wrote to memory of 548 1896 JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe 30 PID 1896 wrote to memory of 548 1896 JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe 30 PID 548 wrote to memory of 2716 548 WaterMark.exe 31 PID 548 wrote to memory of 2716 548 WaterMark.exe 31 PID 548 wrote to memory of 2716 548 WaterMark.exe 31 PID 548 wrote to memory of 2716 548 WaterMark.exe 31 PID 548 wrote to memory of 2716 548 WaterMark.exe 31 PID 548 wrote to memory of 2716 548 WaterMark.exe 31 PID 548 wrote to memory of 2716 548 WaterMark.exe 31 PID 548 wrote to memory of 2716 548 WaterMark.exe 31 PID 548 wrote to memory of 2716 548 WaterMark.exe 31 PID 548 wrote to memory of 2716 548 WaterMark.exe 31 PID 548 wrote to memory of 2408 548 WaterMark.exe 32 PID 548 wrote to memory of 2408 548 WaterMark.exe 32 PID 548 wrote to memory of 2408 548 WaterMark.exe 32 PID 548 wrote to memory of 2408 548 WaterMark.exe 32 PID 548 wrote to memory of 2408 548 WaterMark.exe 32 PID 548 wrote to memory of 2408 548 WaterMark.exe 32 PID 548 wrote to memory of 2408 548 WaterMark.exe 32 PID 548 wrote to memory of 2408 548 WaterMark.exe 32 PID 548 wrote to memory of 2408 548 WaterMark.exe 32 PID 548 wrote to memory of 2408 548 WaterMark.exe 32 PID 2408 wrote to memory of 256 2408 svchost.exe 1 PID 2408 wrote to memory of 256 2408 svchost.exe 1 PID 2408 wrote to memory of 256 2408 svchost.exe 1 PID 2408 wrote to memory of 256 2408 svchost.exe 1 PID 2408 wrote to memory of 256 2408 svchost.exe 1 PID 2408 wrote to memory of 332 2408 svchost.exe 2 PID 2408 wrote to memory of 332 2408 svchost.exe 2 PID 2408 wrote to memory of 332 2408 svchost.exe 2 PID 2408 wrote to memory of 332 2408 svchost.exe 2 PID 2408 wrote to memory of 332 2408 svchost.exe 2 PID 2408 wrote to memory of 384 2408 svchost.exe 3 PID 2408 wrote to memory of 384 2408 svchost.exe 3 PID 2408 wrote to memory of 384 2408 svchost.exe 3 PID 2408 wrote to memory of 384 2408 svchost.exe 3 PID 2408 wrote to memory of 384 2408 svchost.exe 3 PID 2408 wrote to memory of 392 2408 svchost.exe 4 PID 2408 wrote to memory of 392 2408 svchost.exe 4 PID 2408 wrote to memory of 392 2408 svchost.exe 4 PID 2408 wrote to memory of 392 2408 svchost.exe 4 PID 2408 wrote to memory of 392 2408 svchost.exe 4 PID 2408 wrote to memory of 432 2408 svchost.exe 5 PID 2408 wrote to memory of 432 2408 svchost.exe 5 PID 2408 wrote to memory of 432 2408 svchost.exe 5 PID 2408 wrote to memory of 432 2408 svchost.exe 5 PID 2408 wrote to memory of 432 2408 svchost.exe 5 PID 2408 wrote to memory of 476 2408 svchost.exe 6 PID 2408 wrote to memory of 476 2408 svchost.exe 6 PID 2408 wrote to memory of 476 2408 svchost.exe 6 PID 2408 wrote to memory of 476 2408 svchost.exe 6 PID 2408 wrote to memory of 476 2408 svchost.exe 6 PID 2408 wrote to memory of 492 2408 svchost.exe 7 PID 2408 wrote to memory of 492 2408 svchost.exe 7 PID 2408 wrote to memory of 492 2408 svchost.exe 7 PID 2408 wrote to memory of 492 2408 svchost.exe 7 PID 2408 wrote to memory of 492 2408 svchost.exe 7 PID 2408 wrote to memory of 500 2408 svchost.exe 8 PID 2408 wrote to memory of 500 2408 svchost.exe 8 PID 2408 wrote to memory of 500 2408 svchost.exe 8 PID 2408 wrote to memory of 500 2408 svchost.exe 8 PID 2408 wrote to memory of 500 2408 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:616
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1744
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1832
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:692
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:828
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1196
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:864
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2100
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:976
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:280
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:924
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1048
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1124
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1076
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1176
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:292
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b394729f1aa0b1ea05b753cf7a0bd1f8.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize381KB
MD5daec5c9eb310a4d5a156844ed8c2f1d0
SHA194360748158ac165b756aed8088c0fe766095010
SHA2564c630bd04298c1dae60f68fe6036072ed109403baabbadb0ad3fb5ad963dc274
SHA51226002218575af8c06e12b193e92bab8c23fed460d93e85364178f894e0aeb00e58c4b246b0e964d008ccb415f64fd260def9b6a7afa07668bb9b0ee791060fd6
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize377KB
MD5c40cf6aab1f876e152b302d911e0a02e
SHA12a51c2c583de974ef53c04ed4e7294d6f5936284
SHA2569d60beaca51187e8388b488c8b3a0f08f58232ee379f2983344ec8f2fcde0930
SHA5125926e3ee391ed6f0885ebeb99ea079846cac429da6a9e84c2835f291d1f53daa8ac5f15510152f3e29b9f4ddfc12b6ae89f5997d662317da021a51cce124c5ff
-
Filesize
184KB
MD5b394729f1aa0b1ea05b753cf7a0bd1f8
SHA151c6ca4451baa287e7bdf4b426e355d2175ddb28
SHA2562602dfe432e5021c0654f015c2c30c4f2790872343710245c2005c1b77337be6
SHA5125f1b534b35aad584cb5f3277a7ea23fc0835713db91882daf1128081f3ce9ee196c910b59711214cdb661814c692dcc6ec4107da263659603bb8d3cbd66d333d