Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2025, 18:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_21975899b65652222255a5c663a34b9e.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_21975899b65652222255a5c663a34b9e.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_21975899b65652222255a5c663a34b9e.exe
-
Size
596KB
-
MD5
21975899b65652222255a5c663a34b9e
-
SHA1
7669700d05191542e4086ad6e0edcb20ca5794c8
-
SHA256
6907c8a0c3e6fb03fde042da76510e8a002eea4ec3b67a1e32eb35202299aae2
-
SHA512
9ac91e48455f9f04df39c344b9ae9a6263d4cfecca3597b2b64e24ca3ef722606c314d53f6a65e6299e83815b27f819b4915cebed6fde04a5293be6b82be7ea7
-
SSDEEP
12288:RV9YMRAECWNUNc2+L0TOeJJ3zxOeZ4yrfYMe1nig:RV2cUx+L0ZLjOWxIn
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral2/memory/3320-20-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-27-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-48-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-50-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-52-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-53-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-54-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-57-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-58-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-61-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-62-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades behavioral2/memory/3320-65-0x0000000000400000-0x0000000000470000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\rundll.exe = "C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe JaffaCakes118_21975899b65652222255a5c663a34b9e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe JaffaCakes118_21975899b65652222255a5c663a34b9e.exe -
Executes dropped EXE 1 IoCs
pid Process 3320 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 220 set thread context of 3320 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_21975899b65652222255a5c663a34b9e.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 3240 reg.exe 840 reg.exe 2464 reg.exe 4792 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: 1 3320 svchost.exe Token: SeCreateTokenPrivilege 3320 svchost.exe Token: SeAssignPrimaryTokenPrivilege 3320 svchost.exe Token: SeLockMemoryPrivilege 3320 svchost.exe Token: SeIncreaseQuotaPrivilege 3320 svchost.exe Token: SeMachineAccountPrivilege 3320 svchost.exe Token: SeTcbPrivilege 3320 svchost.exe Token: SeSecurityPrivilege 3320 svchost.exe Token: SeTakeOwnershipPrivilege 3320 svchost.exe Token: SeLoadDriverPrivilege 3320 svchost.exe Token: SeSystemProfilePrivilege 3320 svchost.exe Token: SeSystemtimePrivilege 3320 svchost.exe Token: SeProfSingleProcessPrivilege 3320 svchost.exe Token: SeIncBasePriorityPrivilege 3320 svchost.exe Token: SeCreatePagefilePrivilege 3320 svchost.exe Token: SeCreatePermanentPrivilege 3320 svchost.exe Token: SeBackupPrivilege 3320 svchost.exe Token: SeRestorePrivilege 3320 svchost.exe Token: SeShutdownPrivilege 3320 svchost.exe Token: SeDebugPrivilege 3320 svchost.exe Token: SeAuditPrivilege 3320 svchost.exe Token: SeSystemEnvironmentPrivilege 3320 svchost.exe Token: SeChangeNotifyPrivilege 3320 svchost.exe Token: SeRemoteShutdownPrivilege 3320 svchost.exe Token: SeUndockPrivilege 3320 svchost.exe Token: SeSyncAgentPrivilege 3320 svchost.exe Token: SeEnableDelegationPrivilege 3320 svchost.exe Token: SeManageVolumePrivilege 3320 svchost.exe Token: SeImpersonatePrivilege 3320 svchost.exe Token: SeCreateGlobalPrivilege 3320 svchost.exe Token: 31 3320 svchost.exe Token: 32 3320 svchost.exe Token: 33 3320 svchost.exe Token: 34 3320 svchost.exe Token: 35 3320 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3320 svchost.exe 3320 svchost.exe 3320 svchost.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 220 wrote to memory of 2784 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 88 PID 220 wrote to memory of 2784 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 88 PID 220 wrote to memory of 2784 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 88 PID 2784 wrote to memory of 1372 2784 csc.exe 90 PID 2784 wrote to memory of 1372 2784 csc.exe 90 PID 2784 wrote to memory of 1372 2784 csc.exe 90 PID 220 wrote to memory of 3320 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 91 PID 220 wrote to memory of 3320 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 91 PID 220 wrote to memory of 3320 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 91 PID 220 wrote to memory of 3320 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 91 PID 220 wrote to memory of 3320 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 91 PID 220 wrote to memory of 3320 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 91 PID 220 wrote to memory of 3320 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 91 PID 220 wrote to memory of 3320 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 91 PID 220 wrote to memory of 3600 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 92 PID 220 wrote to memory of 3600 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 92 PID 220 wrote to memory of 3600 220 JaffaCakes118_21975899b65652222255a5c663a34b9e.exe 92 PID 3600 wrote to memory of 1036 3600 csc.exe 94 PID 3600 wrote to memory of 1036 3600 csc.exe 94 PID 3600 wrote to memory of 1036 3600 csc.exe 94 PID 3320 wrote to memory of 4764 3320 svchost.exe 95 PID 3320 wrote to memory of 4764 3320 svchost.exe 95 PID 3320 wrote to memory of 4764 3320 svchost.exe 95 PID 3320 wrote to memory of 2344 3320 svchost.exe 96 PID 3320 wrote to memory of 2344 3320 svchost.exe 96 PID 3320 wrote to memory of 2344 3320 svchost.exe 96 PID 3320 wrote to memory of 3508 3320 svchost.exe 97 PID 3320 wrote to memory of 3508 3320 svchost.exe 97 PID 3320 wrote to memory of 3508 3320 svchost.exe 97 PID 3320 wrote to memory of 1224 3320 svchost.exe 98 PID 3320 wrote to memory of 1224 3320 svchost.exe 98 PID 3320 wrote to memory of 1224 3320 svchost.exe 98 PID 1224 wrote to memory of 840 1224 cmd.exe 103 PID 1224 wrote to memory of 840 1224 cmd.exe 103 PID 1224 wrote to memory of 840 1224 cmd.exe 103 PID 3508 wrote to memory of 4792 3508 cmd.exe 104 PID 3508 wrote to memory of 4792 3508 cmd.exe 104 PID 3508 wrote to memory of 4792 3508 cmd.exe 104 PID 2344 wrote to memory of 2464 2344 cmd.exe 105 PID 2344 wrote to memory of 2464 2344 cmd.exe 105 PID 2344 wrote to memory of 2464 2344 cmd.exe 105 PID 4764 wrote to memory of 3240 4764 cmd.exe 106 PID 4764 wrote to memory of 3240 4764 cmd.exe 106 PID 4764 wrote to memory of 3240 4764 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21975899b65652222255a5c663a34b9e.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrij8ax5.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD0FC.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1372
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3240
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4792
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\rundll.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\rundll.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:840
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrij8ax5.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD40A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD409.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:1036
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c027b134c82f4b2c2aca822ac01fd97a
SHA1094cccc04af87bf4bb6577c1cf9454da1ad1a2ff
SHA2564a11a1bfba0e8a0cfb7236c0b8cf75c53ba975dd880d5238921fe1a4c2069aa3
SHA5125c2d15d3150198872f479a49447d92c8ba8c096622c14b957122c6c108f116a3430ce9eff72f90457019909684f7be53ac2fb2f65383bd287139fbab67fe6b1c
-
Filesize
1KB
MD5ddceb3e125aadcb7eb3379c21b7cbfe7
SHA19b2a73a5889665552493bc7db47ee10243bd5c31
SHA256665ad0a339eb3babc9fa9dbb9630b84cda59df1f019edc064d9c4f384043e990
SHA51201502d1e3942275ef8a76826cb26382e6949aeaed24533d7ab5d54b70f653b4399a118a506629675797a6a34ecbae8b7cae0fbb1b0e13b0f1e40a18b488e4089
-
Filesize
10KB
MD57873d235dfd29c5c9dabb34839980c7a
SHA1fe0f31c78cdd8528974754e24bdd9ca4659594d9
SHA256de27931715bb12052801a6598b5b737048166ceb873aa4e33d47a2af835e566f
SHA512e4496ed2bc1bfc14455671f0e5cac59ac5d25c546ff8e61e4ea8f9b2dbf4dd27c97ac60534e758d887b2831368de1eedbfb1b34455c7e6bf2a49d588fe1d1a34
-
Filesize
3KB
MD57bcc5c8e9d4df5cf1e705db5d2e87d41
SHA17fb1c339b7b1b2a19dcf2b5185756bab849012ad
SHA256c66f4ed614cc01dbcc84d6b2c2161c0c5188346b101936a710543bdb2aedca35
SHA512e6bf00c19f31e7706a3e12dfc3893366a5d038b703802c801bb4090ee0cb24d91241d17602abc303d96d1461d710b57c7039fdccea475faa98b09b6a8b6aeb51
-
Filesize
1KB
MD5caf7ad8a6755ca9190121f60fc7d1886
SHA1434e415c5db0560ac70a22546ce138a9190d0fbd
SHA2567bfaa18112edd91b95795d1a080c3b768b585d1ed559e60d0d7368cfd9513d89
SHA512d9b924cb49c2ebcaf58cfd0ecaa7c026076c22ddc75008b40bc0f62a9d76d464e20cae93028974f73ee1232e6ad6f9927882a20f42a728ec6d821d030002f1ae
-
Filesize
652B
MD5e608a1545e05698b7f44314b7436cc73
SHA15c1c5111311dc5de3ad172d7de5a89d85573fc29
SHA256f79d7d9c87b18b35cdaebd73211b53a8c3d89906f9e84c9d3c1ed863507479c2
SHA5129f88d7e62eeaf0da6faf711bfc764bfad06380d9569e52626484eb4b9f27960b6ce5fa0f77d65621b12e9eb2afc9c0cc4cbdfb5abc2b2e4148991ad2e50bba16
-
Filesize
8KB
MD5164dc3f006aea54e9f83a8d96e366164
SHA1a32fb4dd0b29075a0f94000b61ee441be21c879e
SHA25638ce0b573e1aa8eac080f26b57829a5bbc49104f98305932cc8bc1e3cc226d14
SHA512b6391ccf6e150039056e98c82e47a45f328c699a130412863c633d1506af50c9babe2a299383ce1c32a8abdb7fe61a9b3724a5afda61605e2844114ca0e47ee7
-
Filesize
571B
MD5ffbf968e7e7ddb392daa00f9ff61f4eb
SHA1569a6f2b38fb6971c766b39d21f74aee2e3d2765
SHA256e6085f3cf5b1b4b91c4cb1efd863a115920283a566d9484e9288829b40119d69
SHA5129438c30d52a01b4923daee6733547db95bc933338358959c40658abf5a5dcd394e890eb2ad5ff07d1c5f4d33596c6d5bf1e0b6f76a274c50cd5a5bdf920b2340
-
Filesize
187B
MD5ae040102f7f1b0f54f999afde9452abf
SHA1caeef0a429887f6a10669767655ea26fae90ec37
SHA256f4284c5cd990f7bd09f5752516ddd680fa8beb3b0e9dfbd777a172f514654593
SHA512715856860ea50c6f77054141e0fd948ce5dc35930827c879e061e34d3d55065adf44b0c357edff09abcf405b8da0909943a83f2aff368f6e369b6e2f56eeb69d
-
Filesize
203B
MD5685b406b25bb74f2edea8e2c352381f4
SHA14607038c233c137a3b01ff92fe979f3ba6090407
SHA256a05eac72245ef2df4f437adbdd30e58daede9173061778401f264f8390334296
SHA512f2b9c3b4fad090c84a68033c573ef83c862081ad0e56f1213d356929af48faed82aa5cda44f6acd7a4b7a92decc0160e33fda935f9b546c48f9b1004044b2845