Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-01-2025 12:38
Behavioral task
behavioral1
Sample
JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
General
-
Target
JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe
-
Size
64KB
-
MD5
56ef04ac9ea0460d1a14ee1907d6b56b
-
SHA1
be126a1f059d91c6434b13f9dae10def19b818d7
-
SHA256
684c378f5c3133f1b65384635534adfc92cf432a8b32c5468812f6f05e3aa3c0
-
SHA512
9789964b2db12661903ff229913fd6de4c2bfc435233e562038b1c4bf9fc6178df5bd15c6f3cea4c69605c97bb0c894e703e004467f66d55bf8a4f0427c4cd8a
-
SSDEEP
1536:Tu1J3s57Dw0IJ4UrsGNtewwYTNaPAm51/tEa8vHSh:W2vTIyAjtVTNaPAm51VEa8vS
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2800 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2696 JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe 2696 JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2696-0-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2696-2-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/files/0x000900000001937b-4.dat upx behavioral1/memory/2696-11-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2800-13-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2800-15-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2800-17-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2800-49-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2800-55-0x0000000000400000-0x0000000000447000-memory.dmp upx behavioral1/memory/2800-588-0x0000000000400000-0x0000000000447000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\j2pcsc.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\JdbcOdbc.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEERR.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msadomd.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPMediaSharing.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozavcodec.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_smem_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msador15.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\management.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONFILTER.DLL svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\javafx-iio.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\librv32_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleHandler.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\msvcp140.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_a52_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\InkSeg.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\settings.html svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdatl3.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\MemoryAnalyzer.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\mozwer.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libprefetch_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liboggspots_plugin.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2800 WaterMark.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe 2244 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2800 WaterMark.exe Token: SeDebugPrivilege 2244 svchost.exe Token: SeDebugPrivilege 2800 WaterMark.exe Token: SeDebugPrivilege 1536 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2800 2696 JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe 30 PID 2696 wrote to memory of 2800 2696 JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe 30 PID 2696 wrote to memory of 2800 2696 JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe 30 PID 2696 wrote to memory of 2800 2696 JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe 30 PID 2800 wrote to memory of 1536 2800 WaterMark.exe 31 PID 2800 wrote to memory of 1536 2800 WaterMark.exe 31 PID 2800 wrote to memory of 1536 2800 WaterMark.exe 31 PID 2800 wrote to memory of 1536 2800 WaterMark.exe 31 PID 2800 wrote to memory of 1536 2800 WaterMark.exe 31 PID 2800 wrote to memory of 1536 2800 WaterMark.exe 31 PID 2800 wrote to memory of 1536 2800 WaterMark.exe 31 PID 2800 wrote to memory of 1536 2800 WaterMark.exe 31 PID 2800 wrote to memory of 1536 2800 WaterMark.exe 31 PID 2800 wrote to memory of 1536 2800 WaterMark.exe 31 PID 2800 wrote to memory of 2244 2800 WaterMark.exe 32 PID 2800 wrote to memory of 2244 2800 WaterMark.exe 32 PID 2800 wrote to memory of 2244 2800 WaterMark.exe 32 PID 2800 wrote to memory of 2244 2800 WaterMark.exe 32 PID 2800 wrote to memory of 2244 2800 WaterMark.exe 32 PID 2800 wrote to memory of 2244 2800 WaterMark.exe 32 PID 2800 wrote to memory of 2244 2800 WaterMark.exe 32 PID 2800 wrote to memory of 2244 2800 WaterMark.exe 32 PID 2800 wrote to memory of 2244 2800 WaterMark.exe 32 PID 2800 wrote to memory of 2244 2800 WaterMark.exe 32 PID 2244 wrote to memory of 256 2244 svchost.exe 1 PID 2244 wrote to memory of 256 2244 svchost.exe 1 PID 2244 wrote to memory of 256 2244 svchost.exe 1 PID 2244 wrote to memory of 256 2244 svchost.exe 1 PID 2244 wrote to memory of 256 2244 svchost.exe 1 PID 2244 wrote to memory of 332 2244 svchost.exe 2 PID 2244 wrote to memory of 332 2244 svchost.exe 2 PID 2244 wrote to memory of 332 2244 svchost.exe 2 PID 2244 wrote to memory of 332 2244 svchost.exe 2 PID 2244 wrote to memory of 332 2244 svchost.exe 2 PID 2244 wrote to memory of 384 2244 svchost.exe 3 PID 2244 wrote to memory of 384 2244 svchost.exe 3 PID 2244 wrote to memory of 384 2244 svchost.exe 3 PID 2244 wrote to memory of 384 2244 svchost.exe 3 PID 2244 wrote to memory of 384 2244 svchost.exe 3 PID 2244 wrote to memory of 396 2244 svchost.exe 4 PID 2244 wrote to memory of 396 2244 svchost.exe 4 PID 2244 wrote to memory of 396 2244 svchost.exe 4 PID 2244 wrote to memory of 396 2244 svchost.exe 4 PID 2244 wrote to memory of 396 2244 svchost.exe 4 PID 2244 wrote to memory of 432 2244 svchost.exe 5 PID 2244 wrote to memory of 432 2244 svchost.exe 5 PID 2244 wrote to memory of 432 2244 svchost.exe 5 PID 2244 wrote to memory of 432 2244 svchost.exe 5 PID 2244 wrote to memory of 432 2244 svchost.exe 5 PID 2244 wrote to memory of 476 2244 svchost.exe 6 PID 2244 wrote to memory of 476 2244 svchost.exe 6 PID 2244 wrote to memory of 476 2244 svchost.exe 6 PID 2244 wrote to memory of 476 2244 svchost.exe 6 PID 2244 wrote to memory of 476 2244 svchost.exe 6 PID 2244 wrote to memory of 492 2244 svchost.exe 7 PID 2244 wrote to memory of 492 2244 svchost.exe 7 PID 2244 wrote to memory of 492 2244 svchost.exe 7 PID 2244 wrote to memory of 492 2244 svchost.exe 7 PID 2244 wrote to memory of 492 2244 svchost.exe 7 PID 2244 wrote to memory of 500 2244 svchost.exe 8 PID 2244 wrote to memory of 500 2244 svchost.exe 8 PID 2244 wrote to memory of 500 2244 svchost.exe 8 PID 2244 wrote to memory of 500 2244 svchost.exe 8 PID 2244 wrote to memory of 500 2244 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2040
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1524
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2016
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:736
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1176
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:852
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:964
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:108
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:324
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1044
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1112
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:836
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2892
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:3028
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56ef04ac9ea0460d1a14ee1907d6b56b.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html
Filesize140KB
MD59ac1ca664006fd33dcb13869c84bd013
SHA1d8af327cc43a015c3d864a17c93d1dd3b56dc981
SHA256d611751477d8e91f3ae8d1351ab3dcd28e548111bbad9e0053d96b1d3b60f4e3
SHA512f67c36d2173d72ed4605738721e03fac11c80d22b1fb0e3e1a4de7e06d9a321c4a63623be0cd6987a3e103f979521c8a5eb94c283c83235124bc01b9ad058ddd
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html
Filesize137KB
MD5ad08231fd0b5a9d2b392d09073679a5d
SHA1bfc5d7dc1846a07b0fb841ea9bfb10acd1221702
SHA25626903e911db24f58879a2f856d9d4ffecba42cc5d019e3a09535da8ee643a5da
SHA5129152c4dce2c02f023806516d009b84033951a2178eeeaac72fa55a19bd8497b4e2c56a6339cbfecc539029c9bc47b382a5a60a1d1419dd0760ecd0c5bd8e2172
-
Filesize
64KB
MD556ef04ac9ea0460d1a14ee1907d6b56b
SHA1be126a1f059d91c6434b13f9dae10def19b818d7
SHA256684c378f5c3133f1b65384635534adfc92cf432a8b32c5468812f6f05e3aa3c0
SHA5129789964b2db12661903ff229913fd6de4c2bfc435233e562038b1c4bf9fc6178df5bd15c6f3cea4c69605c97bb0c894e703e004467f66d55bf8a4f0427c4cd8a