Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2022 14:25
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20220812-en
General
-
Target
1.exe
-
Size
204KB
-
MD5
21a05f8f6f5402757c74e0c4b7e40786
-
SHA1
1e9d519b601b39dc76a8e0a2da50c6ba6978d58d
-
SHA256
1318f8a4566a50537f579d24fd1aabcf7e22e89bc75ffd13b3088fc6e80e9a2a
-
SHA512
e3352cca7728fea90a0be4c4326aa42e684dda66f16d3c0c91f92464b6aa2fda0c9385d4ec6b21d18073a127b8f1cf0d071151675e7fd47154198bf1bddc9e58
-
SSDEEP
1536:dvKSz7JSYOTcZ4+Ir2cJI6A4fS58yqiwUxkOceFgX+22UdF2yIj6+OYuBf5lfEDX:0oJSOQr2caLXEQxZcGgX52SpjVsuWtR
Malware Config
Extracted
C:\Users\Public\Documents\RGNR_0540BF83.txt
ragnarlocker
http://p6o7m73ujalhgkiv.onion/?p=171
http://mykgoj7uvqtgl367.onion/client/?6bECA2b2AFFfBC1Dff0aa0EaaAd468bec0903b5e4Ea58ecde3C264bC55c7389E
http://p6o7m73ujalhgkiv.onion/?page_id=171
Signatures
-
RagnarLocker
Ransomware first seen at the end of 2019, which has been used in targetted attacks against multiple companies.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CloseMove.png => C:\Users\Admin\Pictures\CloseMove.png.ragnar_0540BF83 1.exe File opened for modification C:\Users\Admin\Pictures\InstallMove.tiff 1.exe File renamed C:\Users\Admin\Pictures\InstallMove.tiff => C:\Users\Admin\Pictures\InstallMove.tiff.ragnar_0540BF83 1.exe File renamed C:\Users\Admin\Pictures\JoinAssert.crw => C:\Users\Admin\Pictures\JoinAssert.crw.ragnar_0540BF83 1.exe File renamed C:\Users\Admin\Pictures\OutRedo.png => C:\Users\Admin\Pictures\OutRedo.png.ragnar_0540BF83 1.exe File renamed C:\Users\Admin\Pictures\SendTrace.png => C:\Users\Admin\Pictures\SendTrace.png.ragnar_0540BF83 1.exe File renamed C:\Users\Admin\Pictures\SubmitUnblock.tif => C:\Users\Admin\Pictures\SubmitUnblock.tif.ragnar_0540BF83 1.exe File renamed C:\Users\Admin\Pictures\UnregisterTrace.tiff => C:\Users\Admin\Pictures\UnregisterTrace.tiff.ragnar_0540BF83 1.exe File renamed C:\Users\Admin\Pictures\RevokeProtect.png => C:\Users\Admin\Pictures\RevokeProtect.png.ragnar_0540BF83 1.exe File renamed C:\Users\Admin\Pictures\SetDisconnect.png => C:\Users\Admin\Pictures\SetDisconnect.png.ragnar_0540BF83 1.exe File opened for modification C:\Users\Admin\Pictures\UnregisterTrace.tiff 1.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RGNR_0540BF83.txt 1.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 1.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-400_contrast-white.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60_altform-colorize.png 1.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\Views\RGNR_0540BF83.txt 1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-125.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\comment.svg 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\ui-strings.js 1.exe File opened for modification C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui 1.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-white_scale-100.png 1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising.winmd 1.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-TW\View3d\RGNR_0540BF83.txt 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200.png 1.exe File created C:\Program Files (x86)\RGNR_0540BF83.txt 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png 1.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\RGNR_0540BF83.txt 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms 1.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\custom.lua 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\ui-strings.js 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\da_get.svg 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\ui-strings.js 1.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\RGNR_0540BF83.txt 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\199.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-150.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\ui-strings.js 1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.ViewElements.winmd 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_contrast-high.png 1.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\RGNR_0540BF83.txt 1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileMediumSquare.scale-200.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_ellipses_selected-hover.svg 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\ui-strings.js 1.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\RGNR_0540BF83.txt 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_altform-lightunplated.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-336.png 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js 1.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\RGNR_0540BF83.txt 1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200.png 1.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-125.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\WideTile.scale-100.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\GlassGeometryShader.cso 1.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg 1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf 1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\AppxSignature.p7x 1.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.Tests.ps1 1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms 1.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\RGNR_0540BF83.txt 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-100_contrast-black.png 1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\WebviewOffline.html 1.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters 1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr 1.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters 1.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3372 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 8 notepad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe 544 1.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 608 wmic.exe Token: SeSecurityPrivilege 608 wmic.exe Token: SeTakeOwnershipPrivilege 608 wmic.exe Token: SeLoadDriverPrivilege 608 wmic.exe Token: SeSystemProfilePrivilege 608 wmic.exe Token: SeSystemtimePrivilege 608 wmic.exe Token: SeProfSingleProcessPrivilege 608 wmic.exe Token: SeIncBasePriorityPrivilege 608 wmic.exe Token: SeCreatePagefilePrivilege 608 wmic.exe Token: SeBackupPrivilege 608 wmic.exe Token: SeRestorePrivilege 608 wmic.exe Token: SeShutdownPrivilege 608 wmic.exe Token: SeDebugPrivilege 608 wmic.exe Token: SeSystemEnvironmentPrivilege 608 wmic.exe Token: SeRemoteShutdownPrivilege 608 wmic.exe Token: SeUndockPrivilege 608 wmic.exe Token: SeManageVolumePrivilege 608 wmic.exe Token: 33 608 wmic.exe Token: 34 608 wmic.exe Token: 35 608 wmic.exe Token: 36 608 wmic.exe Token: SeIncreaseQuotaPrivilege 608 wmic.exe Token: SeSecurityPrivilege 608 wmic.exe Token: SeTakeOwnershipPrivilege 608 wmic.exe Token: SeLoadDriverPrivilege 608 wmic.exe Token: SeSystemProfilePrivilege 608 wmic.exe Token: SeSystemtimePrivilege 608 wmic.exe Token: SeProfSingleProcessPrivilege 608 wmic.exe Token: SeIncBasePriorityPrivilege 608 wmic.exe Token: SeCreatePagefilePrivilege 608 wmic.exe Token: SeBackupPrivilege 608 wmic.exe Token: SeRestorePrivilege 608 wmic.exe Token: SeShutdownPrivilege 608 wmic.exe Token: SeDebugPrivilege 608 wmic.exe Token: SeSystemEnvironmentPrivilege 608 wmic.exe Token: SeRemoteShutdownPrivilege 608 wmic.exe Token: SeUndockPrivilege 608 wmic.exe Token: SeManageVolumePrivilege 608 wmic.exe Token: 33 608 wmic.exe Token: 34 608 wmic.exe Token: 35 608 wmic.exe Token: 36 608 wmic.exe Token: SeBackupPrivilege 4628 vssvc.exe Token: SeRestorePrivilege 4628 vssvc.exe Token: SeAuditPrivilege 4628 vssvc.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 544 wrote to memory of 608 544 1.exe 85 PID 544 wrote to memory of 608 544 1.exe 85 PID 544 wrote to memory of 3372 544 1.exe 87 PID 544 wrote to memory of 3372 544 1.exe 87 PID 544 wrote to memory of 8 544 1.exe 102 PID 544 wrote to memory of 8 544 1.exe 102 PID 544 wrote to memory of 8 544 1.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3372
-
-
C:\Windows\SysWOW64\notepad.exeC:\Users\Public\Documents\RGNR_0540BF83.txt2⤵
- Opens file in notepad (likely ransom note)
PID:8
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ebb1e76a32908e6653c933364985f639
SHA169fc0b1ed4cd4548bb4ebbe3d9f2bf7934735ff7
SHA2561c6ab30444efec425084c396107d7f66371bfc526f6f11480263de22a8233c8f
SHA512e35ebebb5c69e26127be6246ca44d8819cc19cbb7fa9eaa861367b414605eb71b66e440fd5bfa404ab950730053e87d5c7daf0bbab7296ee8bd724c81f730abe