Analysis
-
max time kernel
128s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-05-2023 22:15
Static task
static1
Behavioral task
behavioral1
Sample
63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe
Resource
win10v2004-20230220-en
General
-
Target
63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe
-
Size
1.2MB
-
MD5
dcfb5b038ac3723af9f4f8edcb9001f5
-
SHA1
34d4150135543e6a7c8bceb76675da82c1a09e61
-
SHA256
63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39
-
SHA512
02c08d8f5e4710df611e34208d6b6d46eff327e97ba08f156c4be81b798fc9ba8308baf91c4f06ef5c1276a709950f3948c964a794ebd7dc33fe9909d8eba745
-
SSDEEP
24576:uyeORhvlcH7Vi+TeTgYgbqlvPDZUiGVRb4CBjVRTTlvtZ3Z9DTF:9JRh67Qlguv7WECBj7RzDT
Malware Config
Extracted
redline
gena
185.161.248.73:4164
-
auth_value
d05bf43eef533e262271449829751d07
Extracted
redline
life
185.161.248.73:4164
-
auth_value
8685d11953530b68ad5ec703809d9f91
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
Processes:
z70311161.exez73431010.exez82597285.exes07808503.exe1.exet50783388.exepid process 1956 z70311161.exe 1048 z73431010.exe 1160 z82597285.exe 1760 s07808503.exe 744 1.exe 1664 t50783388.exe -
Loads dropped DLL 13 IoCs
Processes:
63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exez70311161.exez73431010.exez82597285.exes07808503.exe1.exet50783388.exepid process 2004 63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe 1956 z70311161.exe 1956 z70311161.exe 1048 z73431010.exe 1048 z73431010.exe 1160 z82597285.exe 1160 z82597285.exe 1160 z82597285.exe 1760 s07808503.exe 1760 s07808503.exe 744 1.exe 1160 z82597285.exe 1664 t50783388.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z70311161.exez73431010.exez82597285.exe63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z70311161.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z73431010.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z73431010.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z82597285.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z82597285.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce z70311161.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
s07808503.exedescription pid process Token: SeDebugPrivilege 1760 s07808503.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exez70311161.exez73431010.exez82597285.exes07808503.exedescription pid process target process PID 2004 wrote to memory of 1956 2004 63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe z70311161.exe PID 2004 wrote to memory of 1956 2004 63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe z70311161.exe PID 2004 wrote to memory of 1956 2004 63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe z70311161.exe PID 2004 wrote to memory of 1956 2004 63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe z70311161.exe PID 2004 wrote to memory of 1956 2004 63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe z70311161.exe PID 2004 wrote to memory of 1956 2004 63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe z70311161.exe PID 2004 wrote to memory of 1956 2004 63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe z70311161.exe PID 1956 wrote to memory of 1048 1956 z70311161.exe z73431010.exe PID 1956 wrote to memory of 1048 1956 z70311161.exe z73431010.exe PID 1956 wrote to memory of 1048 1956 z70311161.exe z73431010.exe PID 1956 wrote to memory of 1048 1956 z70311161.exe z73431010.exe PID 1956 wrote to memory of 1048 1956 z70311161.exe z73431010.exe PID 1956 wrote to memory of 1048 1956 z70311161.exe z73431010.exe PID 1956 wrote to memory of 1048 1956 z70311161.exe z73431010.exe PID 1048 wrote to memory of 1160 1048 z73431010.exe z82597285.exe PID 1048 wrote to memory of 1160 1048 z73431010.exe z82597285.exe PID 1048 wrote to memory of 1160 1048 z73431010.exe z82597285.exe PID 1048 wrote to memory of 1160 1048 z73431010.exe z82597285.exe PID 1048 wrote to memory of 1160 1048 z73431010.exe z82597285.exe PID 1048 wrote to memory of 1160 1048 z73431010.exe z82597285.exe PID 1048 wrote to memory of 1160 1048 z73431010.exe z82597285.exe PID 1160 wrote to memory of 1760 1160 z82597285.exe s07808503.exe PID 1160 wrote to memory of 1760 1160 z82597285.exe s07808503.exe PID 1160 wrote to memory of 1760 1160 z82597285.exe s07808503.exe PID 1160 wrote to memory of 1760 1160 z82597285.exe s07808503.exe PID 1160 wrote to memory of 1760 1160 z82597285.exe s07808503.exe PID 1160 wrote to memory of 1760 1160 z82597285.exe s07808503.exe PID 1160 wrote to memory of 1760 1160 z82597285.exe s07808503.exe PID 1760 wrote to memory of 744 1760 s07808503.exe 1.exe PID 1760 wrote to memory of 744 1760 s07808503.exe 1.exe PID 1760 wrote to memory of 744 1760 s07808503.exe 1.exe PID 1760 wrote to memory of 744 1760 s07808503.exe 1.exe PID 1760 wrote to memory of 744 1760 s07808503.exe 1.exe PID 1760 wrote to memory of 744 1760 s07808503.exe 1.exe PID 1760 wrote to memory of 744 1760 s07808503.exe 1.exe PID 1160 wrote to memory of 1664 1160 z82597285.exe t50783388.exe PID 1160 wrote to memory of 1664 1160 z82597285.exe t50783388.exe PID 1160 wrote to memory of 1664 1160 z82597285.exe t50783388.exe PID 1160 wrote to memory of 1664 1160 z82597285.exe t50783388.exe PID 1160 wrote to memory of 1664 1160 z82597285.exe t50783388.exe PID 1160 wrote to memory of 1664 1160 z82597285.exe t50783388.exe PID 1160 wrote to memory of 1664 1160 z82597285.exe t50783388.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe"C:\Users\Admin\AppData\Local\Temp\63f398c9aac35480470578d78bd5837f3f78b6c250440d80b4eaba50f203fe39.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z70311161.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z70311161.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z73431010.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z73431010.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z82597285.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z82597285.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s07808503.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s07808503.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t50783388.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\t50783388.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5542575865f3fb44ad412825f94e91486
SHA11cac46ad65ff3dc9d6c1184e99106dc4555fcae0
SHA256fe862a085377a9977e54dee74204c95ea90af9f1e6d9e0b8c749884d785212bf
SHA5123676b97e9720a30fb2a1dd35a84a87f0c4a14bd177eb1e930f347b512eb850b3cde6e00fac56833e494ed233a1d7e60f6f2d1e5f6ecedb79ee5030ab982860ec
-
Filesize
1.0MB
MD5542575865f3fb44ad412825f94e91486
SHA11cac46ad65ff3dc9d6c1184e99106dc4555fcae0
SHA256fe862a085377a9977e54dee74204c95ea90af9f1e6d9e0b8c749884d785212bf
SHA5123676b97e9720a30fb2a1dd35a84a87f0c4a14bd177eb1e930f347b512eb850b3cde6e00fac56833e494ed233a1d7e60f6f2d1e5f6ecedb79ee5030ab982860ec
-
Filesize
760KB
MD5579b36d3d93d5c047ca874b3d2dbac82
SHA193db531eeaa0d8ded7ff99067d0a7da180c78707
SHA256cd3420423f908cc4b30c156d47ecef9d9d29c2ef47e8bf6a54aaab3cc3ece224
SHA5124c0f1351fffc9d8537be4751f62fbe193010743ca990426163582e0515f8d2e0022f0ea0619dd50a7a1a9217f26cac60d46fbc3d38064541a8af87934c67efe3
-
Filesize
760KB
MD5579b36d3d93d5c047ca874b3d2dbac82
SHA193db531eeaa0d8ded7ff99067d0a7da180c78707
SHA256cd3420423f908cc4b30c156d47ecef9d9d29c2ef47e8bf6a54aaab3cc3ece224
SHA5124c0f1351fffc9d8537be4751f62fbe193010743ca990426163582e0515f8d2e0022f0ea0619dd50a7a1a9217f26cac60d46fbc3d38064541a8af87934c67efe3
-
Filesize
578KB
MD52cdeee7d26cb31ad61a6b7e8994e3d8a
SHA1a0294d0439ebc7bc89f3cf7b1a972a2faba84621
SHA256dea04a4bd306a1d8782d76e73744edf35e271e8106c8921019e83ae78528d8c0
SHA5125708d9bbca89075d430502d721db3ee262f07c04d5e46bfb1995e983be7df9a806544d1ccc16832cb9cf4cef039a1af1607d7f4eabb1ed9d747375f8773e358f
-
Filesize
578KB
MD52cdeee7d26cb31ad61a6b7e8994e3d8a
SHA1a0294d0439ebc7bc89f3cf7b1a972a2faba84621
SHA256dea04a4bd306a1d8782d76e73744edf35e271e8106c8921019e83ae78528d8c0
SHA5125708d9bbca89075d430502d721db3ee262f07c04d5e46bfb1995e983be7df9a806544d1ccc16832cb9cf4cef039a1af1607d7f4eabb1ed9d747375f8773e358f
-
Filesize
502KB
MD5cf96586dd8f85714b7a5b949c613e403
SHA1f45c5add69c3cefa48483f7acb6ae269136d9fc1
SHA256bb9abad0b536ea3ab3cc867face6c36fc35c5e403db530f20921b4ebc6f5e908
SHA512e8af51310f53d2f04ef67677e7b0d1b3545c204694b9c615cfeb219e656d68f416846cbbad7d8b5fd13c1a872462200f7593d346941acb1df9160f079006782f
-
Filesize
502KB
MD5cf96586dd8f85714b7a5b949c613e403
SHA1f45c5add69c3cefa48483f7acb6ae269136d9fc1
SHA256bb9abad0b536ea3ab3cc867face6c36fc35c5e403db530f20921b4ebc6f5e908
SHA512e8af51310f53d2f04ef67677e7b0d1b3545c204694b9c615cfeb219e656d68f416846cbbad7d8b5fd13c1a872462200f7593d346941acb1df9160f079006782f
-
Filesize
502KB
MD5cf96586dd8f85714b7a5b949c613e403
SHA1f45c5add69c3cefa48483f7acb6ae269136d9fc1
SHA256bb9abad0b536ea3ab3cc867face6c36fc35c5e403db530f20921b4ebc6f5e908
SHA512e8af51310f53d2f04ef67677e7b0d1b3545c204694b9c615cfeb219e656d68f416846cbbad7d8b5fd13c1a872462200f7593d346941acb1df9160f079006782f
-
Filesize
169KB
MD5739c5ad2e7a49c97aa59bb48c5a5d72e
SHA1e131e1c105a13dd4390ea301f6111577cb9853fc
SHA256de1063c59c10558882f40fa1169e8f591e4a5f709f302295399e93808af00049
SHA512ceacf27ec0d922c2abe62fe54bc3aaf5caab301796b703674290d75eb1e8f7b895f6f39c25757e81568efcb82cb5e322e822bac48cb9546bc5c34768a53827c6
-
Filesize
169KB
MD5739c5ad2e7a49c97aa59bb48c5a5d72e
SHA1e131e1c105a13dd4390ea301f6111577cb9853fc
SHA256de1063c59c10558882f40fa1169e8f591e4a5f709f302295399e93808af00049
SHA512ceacf27ec0d922c2abe62fe54bc3aaf5caab301796b703674290d75eb1e8f7b895f6f39c25757e81568efcb82cb5e322e822bac48cb9546bc5c34768a53827c6
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
1.0MB
MD5542575865f3fb44ad412825f94e91486
SHA11cac46ad65ff3dc9d6c1184e99106dc4555fcae0
SHA256fe862a085377a9977e54dee74204c95ea90af9f1e6d9e0b8c749884d785212bf
SHA5123676b97e9720a30fb2a1dd35a84a87f0c4a14bd177eb1e930f347b512eb850b3cde6e00fac56833e494ed233a1d7e60f6f2d1e5f6ecedb79ee5030ab982860ec
-
Filesize
1.0MB
MD5542575865f3fb44ad412825f94e91486
SHA11cac46ad65ff3dc9d6c1184e99106dc4555fcae0
SHA256fe862a085377a9977e54dee74204c95ea90af9f1e6d9e0b8c749884d785212bf
SHA5123676b97e9720a30fb2a1dd35a84a87f0c4a14bd177eb1e930f347b512eb850b3cde6e00fac56833e494ed233a1d7e60f6f2d1e5f6ecedb79ee5030ab982860ec
-
Filesize
760KB
MD5579b36d3d93d5c047ca874b3d2dbac82
SHA193db531eeaa0d8ded7ff99067d0a7da180c78707
SHA256cd3420423f908cc4b30c156d47ecef9d9d29c2ef47e8bf6a54aaab3cc3ece224
SHA5124c0f1351fffc9d8537be4751f62fbe193010743ca990426163582e0515f8d2e0022f0ea0619dd50a7a1a9217f26cac60d46fbc3d38064541a8af87934c67efe3
-
Filesize
760KB
MD5579b36d3d93d5c047ca874b3d2dbac82
SHA193db531eeaa0d8ded7ff99067d0a7da180c78707
SHA256cd3420423f908cc4b30c156d47ecef9d9d29c2ef47e8bf6a54aaab3cc3ece224
SHA5124c0f1351fffc9d8537be4751f62fbe193010743ca990426163582e0515f8d2e0022f0ea0619dd50a7a1a9217f26cac60d46fbc3d38064541a8af87934c67efe3
-
Filesize
578KB
MD52cdeee7d26cb31ad61a6b7e8994e3d8a
SHA1a0294d0439ebc7bc89f3cf7b1a972a2faba84621
SHA256dea04a4bd306a1d8782d76e73744edf35e271e8106c8921019e83ae78528d8c0
SHA5125708d9bbca89075d430502d721db3ee262f07c04d5e46bfb1995e983be7df9a806544d1ccc16832cb9cf4cef039a1af1607d7f4eabb1ed9d747375f8773e358f
-
Filesize
578KB
MD52cdeee7d26cb31ad61a6b7e8994e3d8a
SHA1a0294d0439ebc7bc89f3cf7b1a972a2faba84621
SHA256dea04a4bd306a1d8782d76e73744edf35e271e8106c8921019e83ae78528d8c0
SHA5125708d9bbca89075d430502d721db3ee262f07c04d5e46bfb1995e983be7df9a806544d1ccc16832cb9cf4cef039a1af1607d7f4eabb1ed9d747375f8773e358f
-
Filesize
502KB
MD5cf96586dd8f85714b7a5b949c613e403
SHA1f45c5add69c3cefa48483f7acb6ae269136d9fc1
SHA256bb9abad0b536ea3ab3cc867face6c36fc35c5e403db530f20921b4ebc6f5e908
SHA512e8af51310f53d2f04ef67677e7b0d1b3545c204694b9c615cfeb219e656d68f416846cbbad7d8b5fd13c1a872462200f7593d346941acb1df9160f079006782f
-
Filesize
502KB
MD5cf96586dd8f85714b7a5b949c613e403
SHA1f45c5add69c3cefa48483f7acb6ae269136d9fc1
SHA256bb9abad0b536ea3ab3cc867face6c36fc35c5e403db530f20921b4ebc6f5e908
SHA512e8af51310f53d2f04ef67677e7b0d1b3545c204694b9c615cfeb219e656d68f416846cbbad7d8b5fd13c1a872462200f7593d346941acb1df9160f079006782f
-
Filesize
502KB
MD5cf96586dd8f85714b7a5b949c613e403
SHA1f45c5add69c3cefa48483f7acb6ae269136d9fc1
SHA256bb9abad0b536ea3ab3cc867face6c36fc35c5e403db530f20921b4ebc6f5e908
SHA512e8af51310f53d2f04ef67677e7b0d1b3545c204694b9c615cfeb219e656d68f416846cbbad7d8b5fd13c1a872462200f7593d346941acb1df9160f079006782f
-
Filesize
169KB
MD5739c5ad2e7a49c97aa59bb48c5a5d72e
SHA1e131e1c105a13dd4390ea301f6111577cb9853fc
SHA256de1063c59c10558882f40fa1169e8f591e4a5f709f302295399e93808af00049
SHA512ceacf27ec0d922c2abe62fe54bc3aaf5caab301796b703674290d75eb1e8f7b895f6f39c25757e81568efcb82cb5e322e822bac48cb9546bc5c34768a53827c6
-
Filesize
169KB
MD5739c5ad2e7a49c97aa59bb48c5a5d72e
SHA1e131e1c105a13dd4390ea301f6111577cb9853fc
SHA256de1063c59c10558882f40fa1169e8f591e4a5f709f302295399e93808af00049
SHA512ceacf27ec0d922c2abe62fe54bc3aaf5caab301796b703674290d75eb1e8f7b895f6f39c25757e81568efcb82cb5e322e822bac48cb9546bc5c34768a53827c6
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf
-
Filesize
168KB
MD5f16fb63d4e551d3808e8f01f2671b57e
SHA1781153ad6235a1152da112de1fb39a6f2d063575
SHA2568a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf