Analysis
-
max time kernel
103s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
30/06/2023, 12:07
Static task
static1
Behavioral task
behavioral1
Sample
ghjk.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
ghjk.exe
Resource
win10v2004-20230621-en
General
-
Target
ghjk.exe
-
Size
2.0MB
-
MD5
69773ff9cddbe895d0c1a7c381e15d81
-
SHA1
15a2796b6b77bd1f03eb0a30cfeb7e3c2f0a0631
-
SHA256
fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
-
SHA512
550f9e02a7f1a1dc3734ba0d86940c2b298cee5890801aeba4f738bb306cdc717a6ecad34e2ebd2c3ac1b0151f2acae7131388f999a30ab9b914c3707a35544e
-
SSDEEP
49152:NZVlrVqLTyYBYTKiJHZ+guvLN09WIfw8eZrjwMmPK:7hIGKiJk7LN09WKOdMMmy
Malware Config
Signatures
-
Executes dropped EXE 13 IoCs
pid Process 1360 BLIrlccnw.exe 1296 BLIrlccnw.exe 804 CanReuseTransform.exe 968 CanReuseTransform.exe 1204 CanReuseTransform.exe 1376 CanReuseTransform.exe 1984 CanReuseTransform.exe 972 CanReuseTransform.exe 960 CanReuseTransform.exe 1996 CanReuseTransform.exe 1592 CanReuseTransform.exe 1568 CanReuseTransform.exe 308 CanReuseTransform.exe -
Loads dropped DLL 2 IoCs
pid Process 1320 ghjk.exe 1360 BLIrlccnw.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1360 set thread context of 1296 1360 BLIrlccnw.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 1320 ghjk.exe 1320 ghjk.exe 1320 ghjk.exe 1320 ghjk.exe 1320 ghjk.exe 1320 ghjk.exe 1320 ghjk.exe 1320 ghjk.exe 1320 ghjk.exe 1320 ghjk.exe 1028 powershell.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe 804 CanReuseTransform.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1320 ghjk.exe Token: SeDebugPrivilege 1360 BLIrlccnw.exe Token: SeDebugPrivilege 1296 BLIrlccnw.exe Token: SeDebugPrivilege 1028 powershell.exe Token: SeDebugPrivilege 804 CanReuseTransform.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1320 wrote to memory of 1360 1320 ghjk.exe 27 PID 1320 wrote to memory of 1360 1320 ghjk.exe 27 PID 1320 wrote to memory of 1360 1320 ghjk.exe 27 PID 1320 wrote to memory of 1360 1320 ghjk.exe 27 PID 1320 wrote to memory of 1596 1320 ghjk.exe 32 PID 1320 wrote to memory of 1596 1320 ghjk.exe 32 PID 1320 wrote to memory of 1596 1320 ghjk.exe 32 PID 1320 wrote to memory of 1596 1320 ghjk.exe 32 PID 1320 wrote to memory of 1692 1320 ghjk.exe 31 PID 1320 wrote to memory of 1692 1320 ghjk.exe 31 PID 1320 wrote to memory of 1692 1320 ghjk.exe 31 PID 1320 wrote to memory of 1692 1320 ghjk.exe 31 PID 1320 wrote to memory of 1720 1320 ghjk.exe 30 PID 1320 wrote to memory of 1720 1320 ghjk.exe 30 PID 1320 wrote to memory of 1720 1320 ghjk.exe 30 PID 1320 wrote to memory of 1720 1320 ghjk.exe 30 PID 1320 wrote to memory of 1264 1320 ghjk.exe 29 PID 1320 wrote to memory of 1264 1320 ghjk.exe 29 PID 1320 wrote to memory of 1264 1320 ghjk.exe 29 PID 1320 wrote to memory of 1264 1320 ghjk.exe 29 PID 1320 wrote to memory of 1936 1320 ghjk.exe 28 PID 1320 wrote to memory of 1936 1320 ghjk.exe 28 PID 1320 wrote to memory of 1936 1320 ghjk.exe 28 PID 1320 wrote to memory of 1936 1320 ghjk.exe 28 PID 1320 wrote to memory of 1752 1320 ghjk.exe 33 PID 1320 wrote to memory of 1752 1320 ghjk.exe 33 PID 1320 wrote to memory of 1752 1320 ghjk.exe 33 PID 1320 wrote to memory of 1752 1320 ghjk.exe 33 PID 1320 wrote to memory of 804 1320 ghjk.exe 34 PID 1320 wrote to memory of 804 1320 ghjk.exe 34 PID 1320 wrote to memory of 804 1320 ghjk.exe 34 PID 1320 wrote to memory of 804 1320 ghjk.exe 34 PID 1320 wrote to memory of 476 1320 ghjk.exe 35 PID 1320 wrote to memory of 476 1320 ghjk.exe 35 PID 1320 wrote to memory of 476 1320 ghjk.exe 35 PID 1320 wrote to memory of 476 1320 ghjk.exe 35 PID 1320 wrote to memory of 1704 1320 ghjk.exe 36 PID 1320 wrote to memory of 1704 1320 ghjk.exe 36 PID 1320 wrote to memory of 1704 1320 ghjk.exe 36 PID 1320 wrote to memory of 1704 1320 ghjk.exe 36 PID 1320 wrote to memory of 572 1320 ghjk.exe 37 PID 1320 wrote to memory of 572 1320 ghjk.exe 37 PID 1320 wrote to memory of 572 1320 ghjk.exe 37 PID 1320 wrote to memory of 572 1320 ghjk.exe 37 PID 1360 wrote to memory of 1296 1360 BLIrlccnw.exe 38 PID 1360 wrote to memory of 1296 1360 BLIrlccnw.exe 38 PID 1360 wrote to memory of 1296 1360 BLIrlccnw.exe 38 PID 1360 wrote to memory of 1296 1360 BLIrlccnw.exe 38 PID 1360 wrote to memory of 1296 1360 BLIrlccnw.exe 38 PID 1360 wrote to memory of 1296 1360 BLIrlccnw.exe 38 PID 1360 wrote to memory of 1296 1360 BLIrlccnw.exe 38 PID 1360 wrote to memory of 1296 1360 BLIrlccnw.exe 38 PID 1360 wrote to memory of 1296 1360 BLIrlccnw.exe 38 PID 760 wrote to memory of 1028 760 taskeng.exe 42 PID 760 wrote to memory of 1028 760 taskeng.exe 42 PID 760 wrote to memory of 1028 760 taskeng.exe 42 PID 1652 wrote to memory of 804 1652 taskeng.exe 45 PID 1652 wrote to memory of 804 1652 taskeng.exe 45 PID 1652 wrote to memory of 804 1652 taskeng.exe 45 PID 1652 wrote to memory of 804 1652 taskeng.exe 45 PID 804 wrote to memory of 968 804 CanReuseTransform.exe 46 PID 804 wrote to memory of 968 804 CanReuseTransform.exe 46 PID 804 wrote to memory of 968 804 CanReuseTransform.exe 46 PID 804 wrote to memory of 968 804 CanReuseTransform.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exe"C:\Users\Admin\AppData\Local\Temp\ghjk.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe"C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exeC:\Users\Admin\AppData\Local\Temp\BLIrlccnw.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exeC:\Users\Admin\AppData\Local\Temp\ghjk.exe2⤵PID:1936
-
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exeC:\Users\Admin\AppData\Local\Temp\ghjk.exe2⤵PID:1264
-
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exeC:\Users\Admin\AppData\Local\Temp\ghjk.exe2⤵PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exeC:\Users\Admin\AppData\Local\Temp\ghjk.exe2⤵PID:1692
-
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exeC:\Users\Admin\AppData\Local\Temp\ghjk.exe2⤵PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exeC:\Users\Admin\AppData\Local\Temp\ghjk.exe2⤵PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exeC:\Users\Admin\AppData\Local\Temp\ghjk.exe2⤵PID:804
-
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exeC:\Users\Admin\AppData\Local\Temp\ghjk.exe2⤵PID:476
-
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exeC:\Users\Admin\AppData\Local\Temp\ghjk.exe2⤵PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\ghjk.exeC:\Users\Admin\AppData\Local\Temp\ghjk.exe2⤵PID:572
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {364C60EF-818D-45AE-AC19-D47B46DEC7BA} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:S4U:1⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {470ABB3D-4EC6-423F-BB3C-C2C21037F1E5} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe3⤵
- Executes dropped EXE
PID:968
-
-
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe3⤵
- Executes dropped EXE
PID:308
-
-
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe3⤵
- Executes dropped EXE
PID:1592
-
-
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe3⤵
- Executes dropped EXE
PID:1568
-
-
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe3⤵
- Executes dropped EXE
PID:960
-
-
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe3⤵
- Executes dropped EXE
PID:1996
-
-
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe3⤵
- Executes dropped EXE
PID:1984
-
-
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe3⤵
- Executes dropped EXE
PID:972
-
-
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe3⤵
- Executes dropped EXE
PID:1204
-
-
C:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exeC:\Users\Admin\AppData\Local\EventProvider\htvxzsdu\CanReuseTransform.exe3⤵
- Executes dropped EXE
PID:1376
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c
-
Filesize
1.2MB
MD5fc6f64c6b52d80c505cc7d6f04d0952e
SHA11c472c2ceb83bfcd5adc6770e35594a5b0ec5390
SHA256c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
SHA512cc0a6d32eeafd0238510cf327d8f71cc94f4ee5997389071c7431ee06446f88ecfe9fe8f7c5adbe88ea3c889d066dd7a862bd4eda2301dc129f8f4c4174f9e9c