Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2025, 05:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe
-
Size
537KB
-
MD5
636f1fa360980a9d69f5b980b6c274f3
-
SHA1
56c07b5150db28270a4cae38d0e2fbc8e9f927c6
-
SHA256
7f7b94905d3ff754f376539af1180b82ba75caefb6e58ab38d0f8b91f5b3738d
-
SHA512
84e01717567fd27e393fce5a38d5be84d96b76fcd020e436c06c75b1ca46090ae56784dd954b3444fb0d33f415a587ef42d25ab86f1870279dde00b3b617a32b
-
SSDEEP
12288:G4mmnDnVHbdTGo71Jt+aIbJAF73UXUd65lsY6H:xZnPvNIb2F73Ukd65lJk
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 2 IoCs
resource yara_rule behavioral2/memory/1464-7-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades behavioral2/memory/1464-9-0x0000000000400000-0x0000000000478000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe -
Executes dropped EXE 1 IoCs
pid Process 4952 VSCover.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\VSCover.exe" VSCover.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4848 set thread context of 1464 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VSCover.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2992 reg.exe 3420 reg.exe 4884 reg.exe 1884 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4952 VSCover.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe Token: 1 1464 AppLaunch.exe Token: SeCreateTokenPrivilege 1464 AppLaunch.exe Token: SeAssignPrimaryTokenPrivilege 1464 AppLaunch.exe Token: SeLockMemoryPrivilege 1464 AppLaunch.exe Token: SeIncreaseQuotaPrivilege 1464 AppLaunch.exe Token: SeMachineAccountPrivilege 1464 AppLaunch.exe Token: SeTcbPrivilege 1464 AppLaunch.exe Token: SeSecurityPrivilege 1464 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1464 AppLaunch.exe Token: SeLoadDriverPrivilege 1464 AppLaunch.exe Token: SeSystemProfilePrivilege 1464 AppLaunch.exe Token: SeSystemtimePrivilege 1464 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1464 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1464 AppLaunch.exe Token: SeCreatePagefilePrivilege 1464 AppLaunch.exe Token: SeCreatePermanentPrivilege 1464 AppLaunch.exe Token: SeBackupPrivilege 1464 AppLaunch.exe Token: SeRestorePrivilege 1464 AppLaunch.exe Token: SeShutdownPrivilege 1464 AppLaunch.exe Token: SeDebugPrivilege 1464 AppLaunch.exe Token: SeAuditPrivilege 1464 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1464 AppLaunch.exe Token: SeChangeNotifyPrivilege 1464 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1464 AppLaunch.exe Token: SeUndockPrivilege 1464 AppLaunch.exe Token: SeSyncAgentPrivilege 1464 AppLaunch.exe Token: SeEnableDelegationPrivilege 1464 AppLaunch.exe Token: SeManageVolumePrivilege 1464 AppLaunch.exe Token: SeImpersonatePrivilege 1464 AppLaunch.exe Token: SeCreateGlobalPrivilege 1464 AppLaunch.exe Token: 31 1464 AppLaunch.exe Token: 32 1464 AppLaunch.exe Token: 33 1464 AppLaunch.exe Token: 34 1464 AppLaunch.exe Token: 35 1464 AppLaunch.exe Token: SeDebugPrivilege 4952 VSCover.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1464 AppLaunch.exe 1464 AppLaunch.exe 1464 AppLaunch.exe 1464 AppLaunch.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4848 wrote to memory of 1464 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 88 PID 4848 wrote to memory of 1464 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 88 PID 4848 wrote to memory of 1464 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 88 PID 4848 wrote to memory of 1464 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 88 PID 4848 wrote to memory of 1464 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 88 PID 4848 wrote to memory of 1464 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 88 PID 4848 wrote to memory of 1464 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 88 PID 4848 wrote to memory of 1464 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 88 PID 1464 wrote to memory of 4808 1464 AppLaunch.exe 89 PID 1464 wrote to memory of 4808 1464 AppLaunch.exe 89 PID 1464 wrote to memory of 4808 1464 AppLaunch.exe 89 PID 1464 wrote to memory of 4796 1464 AppLaunch.exe 90 PID 1464 wrote to memory of 4796 1464 AppLaunch.exe 90 PID 1464 wrote to memory of 4796 1464 AppLaunch.exe 90 PID 1464 wrote to memory of 4536 1464 AppLaunch.exe 91 PID 1464 wrote to memory of 4536 1464 AppLaunch.exe 91 PID 1464 wrote to memory of 4536 1464 AppLaunch.exe 91 PID 1464 wrote to memory of 452 1464 AppLaunch.exe 92 PID 1464 wrote to memory of 452 1464 AppLaunch.exe 92 PID 1464 wrote to memory of 452 1464 AppLaunch.exe 92 PID 4536 wrote to memory of 2992 4536 cmd.exe 97 PID 4536 wrote to memory of 2992 4536 cmd.exe 97 PID 4536 wrote to memory of 2992 4536 cmd.exe 97 PID 4808 wrote to memory of 3420 4808 cmd.exe 98 PID 4808 wrote to memory of 3420 4808 cmd.exe 98 PID 4808 wrote to memory of 3420 4808 cmd.exe 98 PID 452 wrote to memory of 4884 452 cmd.exe 99 PID 452 wrote to memory of 4884 452 cmd.exe 99 PID 452 wrote to memory of 4884 452 cmd.exe 99 PID 4796 wrote to memory of 1884 4796 cmd.exe 100 PID 4796 wrote to memory of 1884 4796 cmd.exe 100 PID 4796 wrote to memory of 1884 4796 cmd.exe 100 PID 4848 wrote to memory of 4952 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 101 PID 4848 wrote to memory of 4952 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 101 PID 4848 wrote to memory of 4952 4848 JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_636f1fa360980a9d69f5b980b6c274f3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3420
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\svchost.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4884
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VSCover.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VSCover.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD54ed67c056c520b02619836b5b5a03bed
SHA15cca9b1083aef2220a06170967ceb24f3c456cc6
SHA2568eef60ff78478c1e9322415634708d629074270a7329778156bbc9e141eaa35f
SHA5125b7d327c9489510740f52a431ae222734b53fe2eb30f0777c49e129ea66e30134a91fc67b6bfc993741bc403829354c1078e1c85b82cf74f539f88b587a0d3d4