Analysis
-
max time kernel
86s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 10:56
Static task
static1
Behavioral task
behavioral1
Sample
57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe
Resource
win10v2004-20220812-en
General
-
Target
57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe
-
Size
447KB
-
MD5
679e097829ce87f142a76e2b9bd24987
-
SHA1
93d5d56edc49db06c5d1b6d4aa3fa2e3147bc5ef
-
SHA256
57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228
-
SHA512
9063cd1200f3a5f8016cf745ac1835a6f368456aab5f6ff04a106dbb6da24e7071d9a3907a765e9ce93b5db5bddcadd3fca83161add22d4fc81bc4cc658365ba
-
SSDEEP
12288:oYzUX+Dan0BhktrKk3upM+x38vgPSHThKY+HEK:oYzI+GnehktrKkyfljSNKY+HD
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exedescription ioc process File created C:\Windows\system32\drivers\nethfdrv.sys 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe -
Executes dropped EXE 5 IoCs
Processes:
installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exepid process 1500 installd.exe 596 nethtsrv.exe 1072 netupdsrv.exe 1692 nethtsrv.exe 1280 netupdsrv.exe -
Loads dropped DLL 13 IoCs
Processes:
57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exeinstalld.exenethtsrv.exenethtsrv.exepid process 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe 1500 installd.exe 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe 596 nethtsrv.exe 596 nethtsrv.exe 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe 1692 nethtsrv.exe 1692 nethtsrv.exe 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exedescription ioc process File created C:\Windows\SysWOW64\hfnapi.dll 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe File created C:\Windows\SysWOW64\hfpapi.dll 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe File created C:\Windows\SysWOW64\installd.exe 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe File created C:\Windows\SysWOW64\nethtsrv.exe 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe File created C:\Windows\SysWOW64\netupdsrv.exe 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe -
Drops file in Program Files directory 3 IoCs
Processes:
57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exedescription ioc process File created C:\Program Files (x86)\Common Files\Config\data.xml 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe File created C:\Program Files (x86)\Common Files\Config\ver.xml 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe File created C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nethtsrv.exedescription pid process Token: SeDebugPrivilege 1692 nethtsrv.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exenet.exenet.exenet.exenet.exedescription pid process target process PID 940 wrote to memory of 1328 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 1328 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 1328 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 1328 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 1328 wrote to memory of 892 1328 net.exe net1.exe PID 1328 wrote to memory of 892 1328 net.exe net1.exe PID 1328 wrote to memory of 892 1328 net.exe net1.exe PID 1328 wrote to memory of 892 1328 net.exe net1.exe PID 940 wrote to memory of 616 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 616 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 616 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 616 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 616 wrote to memory of 468 616 net.exe net1.exe PID 616 wrote to memory of 468 616 net.exe net1.exe PID 616 wrote to memory of 468 616 net.exe net1.exe PID 616 wrote to memory of 468 616 net.exe net1.exe PID 940 wrote to memory of 1500 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe installd.exe PID 940 wrote to memory of 1500 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe installd.exe PID 940 wrote to memory of 1500 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe installd.exe PID 940 wrote to memory of 1500 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe installd.exe PID 940 wrote to memory of 1500 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe installd.exe PID 940 wrote to memory of 1500 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe installd.exe PID 940 wrote to memory of 1500 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe installd.exe PID 940 wrote to memory of 596 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe nethtsrv.exe PID 940 wrote to memory of 596 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe nethtsrv.exe PID 940 wrote to memory of 596 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe nethtsrv.exe PID 940 wrote to memory of 596 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe nethtsrv.exe PID 940 wrote to memory of 1072 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe netupdsrv.exe PID 940 wrote to memory of 1072 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe netupdsrv.exe PID 940 wrote to memory of 1072 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe netupdsrv.exe PID 940 wrote to memory of 1072 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe netupdsrv.exe PID 940 wrote to memory of 1072 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe netupdsrv.exe PID 940 wrote to memory of 1072 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe netupdsrv.exe PID 940 wrote to memory of 1072 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe netupdsrv.exe PID 940 wrote to memory of 1860 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 1860 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 1860 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 1860 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 1860 wrote to memory of 964 1860 net.exe net1.exe PID 1860 wrote to memory of 964 1860 net.exe net1.exe PID 1860 wrote to memory of 964 1860 net.exe net1.exe PID 1860 wrote to memory of 964 1860 net.exe net1.exe PID 940 wrote to memory of 896 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 896 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 896 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 940 wrote to memory of 896 940 57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe net.exe PID 896 wrote to memory of 1524 896 net.exe net1.exe PID 896 wrote to memory of 1524 896 net.exe net1.exe PID 896 wrote to memory of 1524 896 net.exe net1.exe PID 896 wrote to memory of 1524 896 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe"C:\Users\Admin\AppData\Local\Temp\57205c0b85071b6a7a0702c5482ef80a4851a4461ece27a9d7812668fcb93228.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\net.exenet stop nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop nethttpservice3⤵PID:892
-
C:\Windows\SysWOW64\net.exenet stop serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop serviceupdater3⤵PID:468
-
C:\Windows\SysWOW64\installd.exe"C:\Windows\system32\installd.exe" nethfdrv2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\nethtsrv.exe"C:\Windows\system32\nethtsrv.exe" -nfdi2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\netupdsrv.exe"C:\Windows\system32\netupdsrv.exe" -nfdi2⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\net.exenet start nethttpservice2⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start nethttpservice3⤵PID:964
-
C:\Windows\SysWOW64\net.exenet start serviceupdater2⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start serviceupdater3⤵PID:1524
-
C:\Windows\SysWOW64\nethtsrv.exeC:\Windows\SysWOW64\nethtsrv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
C:\Windows\SysWOW64\netupdsrv.exeC:\Windows\SysWOW64\netupdsrv.exe1⤵
- Executes dropped EXE
PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD51ebf990e45ab458521c508f40857e8d1
SHA1ec366383f003c892eb45d769bf19212574a9f88e
SHA25617adc592f9f2a0b810e41c38cfbdd155d1e3442d70b23b423e79a851f9ec5271
SHA5125fa0d0e0e8f28d9641a67d82338f6cb7850f4bba94efd1e5675f52b6c7c3e9b33da8327e85039884d8a7977a513930b543aa2c5b12a6548b27a2b0bbc4f1387e
-
Filesize
244KB
MD51db47b4eae6577dc43af1b3c4ace4608
SHA1352757ff5e2b218bf186f80436103986e49a7d81
SHA2562dba2e6a11e370b04f8254f84cdaa2f37dfab00ca9af42742285a379741c7b79
SHA512b3df7a86301ba3b3958c39dd031e37fa27291f117b8a4fac0f6b5bd85ec73e70185e520c1702d252071c4aeb37308d82148b14bc0a2c566a9d8fd556e85d2756
-
Filesize
108KB
MD5da169d617c016e3d38183e2849762d69
SHA1b4ef2ef73653dfbb38b354b90b20a17188bad7cd
SHA25626b6a0d0dff7d36bdb15533441f6fbb728bcef2ff7cf29b2f8fc998f40f8bb5f
SHA5128fa1b814a1015ef1b02ae635db23e1db6bdc476b5b327785d10404004b8c133dfd79d979c65795863176bcd19128a848b1757c9472da45b80e270bb8f51ac3cb
-
Filesize
176KB
MD55417f788a4dc567c52097049b4bbd248
SHA1a8c7a257a47d8f0e9e185ee80c47976815b9ef41
SHA25614f49b164e325e4934569a8f81ed84217d0610967a71133fabfb0631fafd33e7
SHA512bdc7042fc2a05b365418cf65216cce4f248452b6ca6bfbd82e477e543b33a367522c95f5b69dd2a4af2f8d1e38e0fa9819a42d9362440f0943dd9e35aea3ae97
-
Filesize
176KB
MD55417f788a4dc567c52097049b4bbd248
SHA1a8c7a257a47d8f0e9e185ee80c47976815b9ef41
SHA25614f49b164e325e4934569a8f81ed84217d0610967a71133fabfb0631fafd33e7
SHA512bdc7042fc2a05b365418cf65216cce4f248452b6ca6bfbd82e477e543b33a367522c95f5b69dd2a4af2f8d1e38e0fa9819a42d9362440f0943dd9e35aea3ae97
-
Filesize
158KB
MD5a18a0d91c53c84b18325651c74a4a700
SHA1537066e9143e9aac2bfbfef3019d16bd90f9ed70
SHA2562b7144f3b76588791878cbc6d4348be82a2b234fc83886f1bee14ad5ebe8dc2b
SHA5121209d69559cdd8b759beb8cd7c4895456e1b0cc32b37620c5e5f1a4ebadd6c85d20eb0c521ed15dd3d1651890511972a442ed0894e8f0fea2fcf23a7123de116
-
Filesize
158KB
MD5a18a0d91c53c84b18325651c74a4a700
SHA1537066e9143e9aac2bfbfef3019d16bd90f9ed70
SHA2562b7144f3b76588791878cbc6d4348be82a2b234fc83886f1bee14ad5ebe8dc2b
SHA5121209d69559cdd8b759beb8cd7c4895456e1b0cc32b37620c5e5f1a4ebadd6c85d20eb0c521ed15dd3d1651890511972a442ed0894e8f0fea2fcf23a7123de116
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
106KB
MD51ebf990e45ab458521c508f40857e8d1
SHA1ec366383f003c892eb45d769bf19212574a9f88e
SHA25617adc592f9f2a0b810e41c38cfbdd155d1e3442d70b23b423e79a851f9ec5271
SHA5125fa0d0e0e8f28d9641a67d82338f6cb7850f4bba94efd1e5675f52b6c7c3e9b33da8327e85039884d8a7977a513930b543aa2c5b12a6548b27a2b0bbc4f1387e
-
Filesize
106KB
MD51ebf990e45ab458521c508f40857e8d1
SHA1ec366383f003c892eb45d769bf19212574a9f88e
SHA25617adc592f9f2a0b810e41c38cfbdd155d1e3442d70b23b423e79a851f9ec5271
SHA5125fa0d0e0e8f28d9641a67d82338f6cb7850f4bba94efd1e5675f52b6c7c3e9b33da8327e85039884d8a7977a513930b543aa2c5b12a6548b27a2b0bbc4f1387e
-
Filesize
106KB
MD51ebf990e45ab458521c508f40857e8d1
SHA1ec366383f003c892eb45d769bf19212574a9f88e
SHA25617adc592f9f2a0b810e41c38cfbdd155d1e3442d70b23b423e79a851f9ec5271
SHA5125fa0d0e0e8f28d9641a67d82338f6cb7850f4bba94efd1e5675f52b6c7c3e9b33da8327e85039884d8a7977a513930b543aa2c5b12a6548b27a2b0bbc4f1387e
-
Filesize
244KB
MD51db47b4eae6577dc43af1b3c4ace4608
SHA1352757ff5e2b218bf186f80436103986e49a7d81
SHA2562dba2e6a11e370b04f8254f84cdaa2f37dfab00ca9af42742285a379741c7b79
SHA512b3df7a86301ba3b3958c39dd031e37fa27291f117b8a4fac0f6b5bd85ec73e70185e520c1702d252071c4aeb37308d82148b14bc0a2c566a9d8fd556e85d2756
-
Filesize
244KB
MD51db47b4eae6577dc43af1b3c4ace4608
SHA1352757ff5e2b218bf186f80436103986e49a7d81
SHA2562dba2e6a11e370b04f8254f84cdaa2f37dfab00ca9af42742285a379741c7b79
SHA512b3df7a86301ba3b3958c39dd031e37fa27291f117b8a4fac0f6b5bd85ec73e70185e520c1702d252071c4aeb37308d82148b14bc0a2c566a9d8fd556e85d2756
-
Filesize
108KB
MD5da169d617c016e3d38183e2849762d69
SHA1b4ef2ef73653dfbb38b354b90b20a17188bad7cd
SHA25626b6a0d0dff7d36bdb15533441f6fbb728bcef2ff7cf29b2f8fc998f40f8bb5f
SHA5128fa1b814a1015ef1b02ae635db23e1db6bdc476b5b327785d10404004b8c133dfd79d979c65795863176bcd19128a848b1757c9472da45b80e270bb8f51ac3cb
-
Filesize
176KB
MD55417f788a4dc567c52097049b4bbd248
SHA1a8c7a257a47d8f0e9e185ee80c47976815b9ef41
SHA25614f49b164e325e4934569a8f81ed84217d0610967a71133fabfb0631fafd33e7
SHA512bdc7042fc2a05b365418cf65216cce4f248452b6ca6bfbd82e477e543b33a367522c95f5b69dd2a4af2f8d1e38e0fa9819a42d9362440f0943dd9e35aea3ae97
-
Filesize
158KB
MD5a18a0d91c53c84b18325651c74a4a700
SHA1537066e9143e9aac2bfbfef3019d16bd90f9ed70
SHA2562b7144f3b76588791878cbc6d4348be82a2b234fc83886f1bee14ad5ebe8dc2b
SHA5121209d69559cdd8b759beb8cd7c4895456e1b0cc32b37620c5e5f1a4ebadd6c85d20eb0c521ed15dd3d1651890511972a442ed0894e8f0fea2fcf23a7123de116