Analysis
-
max time kernel
91s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 05:20
Static task
static1
Behavioral task
behavioral1
Sample
fcca444ff3a68a74634ad9c30d7e744cb75559df7914be1a394c9fd4659c46c9.dll
Resource
win7-20220901-en
windows7-x64
15 signatures
150 seconds
General
-
Target
fcca444ff3a68a74634ad9c30d7e744cb75559df7914be1a394c9fd4659c46c9.dll
-
Size
120KB
-
MD5
49bc890629ad536e6ac8f65f20f1d40c
-
SHA1
c0e994895307d7eb86cb11aadbecf86a9f64d999
-
SHA256
fcca444ff3a68a74634ad9c30d7e744cb75559df7914be1a394c9fd4659c46c9
-
SHA512
79a7aa83f9037cbc7ddbbe0c743a3f7b907b83e6ced1e89f9f7a221f51d4b75f3878e62819c663611ca682cd60a76bee7cc2ff5fa3288e2017c03d1f77fd657b
-
SSDEEP
3072:N/4lc/b9prS5xZr4R7KDCU/l97PO01vOq6sdPA:F429dwxZr4R7QCKlFtvlA
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e56ca79.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56cf6a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56cf6a.exe -
Executes dropped EXE 3 IoCs
pid Process 5044 e56ca79.exe 1684 e56cf6a.exe 2412 e56e39e.exe -
resource yara_rule behavioral2/memory/5044-136-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5044-139-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5044-148-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/5044-149-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/1684-150-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1684-152-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56cf6a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56cf6a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e56cf6a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56ca79.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56cf6a.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: e56ca79.exe File opened (read-only) \??\O: e56ca79.exe File opened (read-only) \??\H: e56ca79.exe File opened (read-only) \??\K: e56ca79.exe File opened (read-only) \??\N: e56ca79.exe File opened (read-only) \??\R: e56ca79.exe File opened (read-only) \??\S: e56ca79.exe File opened (read-only) \??\E: e56ca79.exe File opened (read-only) \??\J: e56ca79.exe File opened (read-only) \??\L: e56ca79.exe File opened (read-only) \??\M: e56ca79.exe File opened (read-only) \??\P: e56ca79.exe File opened (read-only) \??\Q: e56ca79.exe File opened (read-only) \??\G: e56ca79.exe File opened (read-only) \??\I: e56ca79.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e56cc6d e56ca79.exe File opened for modification C:\Windows\SYSTEM.INI e56ca79.exe File created C:\Windows\e571fdc e56cf6a.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5044 e56ca79.exe 5044 e56ca79.exe 5044 e56ca79.exe 5044 e56ca79.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe Token: SeDebugPrivilege 5044 e56ca79.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 4956 wrote to memory of 4876 4956 rundll32.exe 81 PID 4956 wrote to memory of 4876 4956 rundll32.exe 81 PID 4956 wrote to memory of 4876 4956 rundll32.exe 81 PID 4876 wrote to memory of 5044 4876 rundll32.exe 82 PID 4876 wrote to memory of 5044 4876 rundll32.exe 82 PID 4876 wrote to memory of 5044 4876 rundll32.exe 82 PID 5044 wrote to memory of 764 5044 e56ca79.exe 8 PID 5044 wrote to memory of 772 5044 e56ca79.exe 9 PID 5044 wrote to memory of 1016 5044 e56ca79.exe 13 PID 5044 wrote to memory of 2288 5044 e56ca79.exe 34 PID 5044 wrote to memory of 2296 5044 e56ca79.exe 43 PID 5044 wrote to memory of 2436 5044 e56ca79.exe 42 PID 5044 wrote to memory of 3048 5044 e56ca79.exe 73 PID 5044 wrote to memory of 2832 5044 e56ca79.exe 72 PID 5044 wrote to memory of 3248 5044 e56ca79.exe 47 PID 5044 wrote to memory of 3356 5044 e56ca79.exe 70 PID 5044 wrote to memory of 3416 5044 e56ca79.exe 69 PID 5044 wrote to memory of 3568 5044 e56ca79.exe 68 PID 5044 wrote to memory of 3688 5044 e56ca79.exe 67 PID 5044 wrote to memory of 4652 5044 e56ca79.exe 65 PID 5044 wrote to memory of 4956 5044 e56ca79.exe 71 PID 5044 wrote to memory of 4876 5044 e56ca79.exe 81 PID 5044 wrote to memory of 4876 5044 e56ca79.exe 81 PID 4876 wrote to memory of 1684 4876 rundll32.exe 83 PID 4876 wrote to memory of 1684 4876 rundll32.exe 83 PID 4876 wrote to memory of 1684 4876 rundll32.exe 83 PID 4876 wrote to memory of 2412 4876 rundll32.exe 84 PID 4876 wrote to memory of 2412 4876 rundll32.exe 84 PID 4876 wrote to memory of 2412 4876 rundll32.exe 84 PID 5044 wrote to memory of 764 5044 e56ca79.exe 8 PID 5044 wrote to memory of 772 5044 e56ca79.exe 9 PID 5044 wrote to memory of 1016 5044 e56ca79.exe 13 PID 5044 wrote to memory of 2288 5044 e56ca79.exe 34 PID 5044 wrote to memory of 2296 5044 e56ca79.exe 43 PID 5044 wrote to memory of 2436 5044 e56ca79.exe 42 PID 5044 wrote to memory of 3048 5044 e56ca79.exe 73 PID 5044 wrote to memory of 2832 5044 e56ca79.exe 72 PID 5044 wrote to memory of 3248 5044 e56ca79.exe 47 PID 5044 wrote to memory of 3356 5044 e56ca79.exe 70 PID 5044 wrote to memory of 3416 5044 e56ca79.exe 69 PID 5044 wrote to memory of 3568 5044 e56ca79.exe 68 PID 5044 wrote to memory of 3688 5044 e56ca79.exe 67 PID 5044 wrote to memory of 4652 5044 e56ca79.exe 65 PID 5044 wrote to memory of 1684 5044 e56ca79.exe 83 PID 5044 wrote to memory of 1684 5044 e56ca79.exe 83 PID 5044 wrote to memory of 2412 5044 e56ca79.exe 84 PID 5044 wrote to memory of 2412 5044 e56ca79.exe 84 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56ca79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56cf6a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2288
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2296
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3248
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4652
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3688
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3568
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3416
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3356
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fcca444ff3a68a74634ad9c30d7e744cb75559df7914be1a394c9fd4659c46c9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fcca444ff3a68a74634ad9c30d7e744cb75559df7914be1a394c9fd4659c46c9.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\e56ca79.exeC:\Users\Admin\AppData\Local\Temp\e56ca79.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\e56cf6a.exeC:\Users\Admin\AppData\Local\Temp\e56cf6a.exe3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1684
-
-
C:\Users\Admin\AppData\Local\Temp\e56e39e.exeC:\Users\Admin\AppData\Local\Temp\e56e39e.exe3⤵
- Executes dropped EXE
PID:2412
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:2832
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3048
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD50ef44bb72fa95076c2026615a8720194
SHA1244ba1907a16001472b192a90292a17912162950
SHA256a1a31799948a08b376e7f2c92310004e3beba8bc40569ae76bc70e6a30b02de0
SHA5123843bfc006704cbdf57f86cfc10a3dd15d16707079cb5cce829d12f049cf0656d4960961d5eb0fbf400c89e6922ce24883b94fa8e369b074d3eba82737b843e1
-
Filesize
97KB
MD50ef44bb72fa95076c2026615a8720194
SHA1244ba1907a16001472b192a90292a17912162950
SHA256a1a31799948a08b376e7f2c92310004e3beba8bc40569ae76bc70e6a30b02de0
SHA5123843bfc006704cbdf57f86cfc10a3dd15d16707079cb5cce829d12f049cf0656d4960961d5eb0fbf400c89e6922ce24883b94fa8e369b074d3eba82737b843e1
-
Filesize
97KB
MD50ef44bb72fa95076c2026615a8720194
SHA1244ba1907a16001472b192a90292a17912162950
SHA256a1a31799948a08b376e7f2c92310004e3beba8bc40569ae76bc70e6a30b02de0
SHA5123843bfc006704cbdf57f86cfc10a3dd15d16707079cb5cce829d12f049cf0656d4960961d5eb0fbf400c89e6922ce24883b94fa8e369b074d3eba82737b843e1
-
Filesize
97KB
MD50ef44bb72fa95076c2026615a8720194
SHA1244ba1907a16001472b192a90292a17912162950
SHA256a1a31799948a08b376e7f2c92310004e3beba8bc40569ae76bc70e6a30b02de0
SHA5123843bfc006704cbdf57f86cfc10a3dd15d16707079cb5cce829d12f049cf0656d4960961d5eb0fbf400c89e6922ce24883b94fa8e369b074d3eba82737b843e1
-
Filesize
97KB
MD50ef44bb72fa95076c2026615a8720194
SHA1244ba1907a16001472b192a90292a17912162950
SHA256a1a31799948a08b376e7f2c92310004e3beba8bc40569ae76bc70e6a30b02de0
SHA5123843bfc006704cbdf57f86cfc10a3dd15d16707079cb5cce829d12f049cf0656d4960961d5eb0fbf400c89e6922ce24883b94fa8e369b074d3eba82737b843e1
-
Filesize
97KB
MD50ef44bb72fa95076c2026615a8720194
SHA1244ba1907a16001472b192a90292a17912162950
SHA256a1a31799948a08b376e7f2c92310004e3beba8bc40569ae76bc70e6a30b02de0
SHA5123843bfc006704cbdf57f86cfc10a3dd15d16707079cb5cce829d12f049cf0656d4960961d5eb0fbf400c89e6922ce24883b94fa8e369b074d3eba82737b843e1