Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2023 15:23
Behavioral task
behavioral1
Sample
a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe
Resource
win7-20230831-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe
Resource
win10v2004-20230915-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe
-
Size
3.0MB
-
MD5
ad1899b8ed8a1064806d93a6b04a7087
-
SHA1
4ae5cdd51b169b9993e3729d3f83a7b87ea8e401
-
SHA256
a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b
-
SHA512
2ff5d82b538e452c144851a4ae6dda968deaeb5bd4753dcab2ee4f26912629dbcad6c66b0e3b2aaf47bcb35eba83c15bfcaa906d32cece2eab8df76daf6f2e9e
-
SSDEEP
49152:rTGkQT5QZuTtS0rQMYOQ+q8CEdTG4QxTGHQO9KFeMy:rKkoWsM0r1Qn2K44KHx0Fer
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\zN6I9bfSu.sys aitstatic.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe -
Executes dropped EXE 2 IoCs
pid Process 3340 c261fc3a 2064 aitstatic.exe -
resource yara_rule behavioral2/memory/4468-0-0x0000000000AE0000-0x0000000000B69000-memory.dmp upx behavioral2/files/0x000400000001e5c6-2.dat upx behavioral2/files/0x000400000001e5c6-3.dat upx behavioral2/memory/3340-4-0x0000000000160000-0x00000000001E9000-memory.dmp upx behavioral2/memory/4468-25-0x0000000000AE0000-0x0000000000B69000-memory.dmp upx behavioral2/memory/3340-27-0x0000000000160000-0x00000000001E9000-memory.dmp upx behavioral2/memory/4468-35-0x0000000000AE0000-0x0000000000B69000-memory.dmp upx behavioral2/memory/3340-64-0x0000000000160000-0x00000000001E9000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\system32\ \Windows\System32\ur4QXjxk.sys aitstatic.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4 c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A c261fc3a File created C:\Windows\SysWOW64\c261fc3a a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A c261fc3a File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4 c261fc3a -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\392e98 c261fc3a File created C:\Windows\Fonts\aitstatic.exe Explorer.EXE File opened for modification C:\Windows\Fonts\aitstatic.exe Explorer.EXE File created C:\Windows\nngoumFzN.sys aitstatic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 aitstatic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 aitstatic.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName aitstatic.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 4220 timeout.exe 4844 timeout.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com aitstatic.exe Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\New Windows\Allow aitstatic.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" c261fc3a Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ c261fc3a Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" c261fc3a Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" c261fc3a Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing c261fc3a Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix c261fc3a Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" c261fc3a Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" c261fc3a Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" c261fc3a -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3340 c261fc3a 3340 c261fc3a 3340 c261fc3a 3340 c261fc3a 3340 c261fc3a 3340 c261fc3a 3340 c261fc3a 3340 c261fc3a 3340 c261fc3a 3340 c261fc3a 3168 Explorer.EXE 3168 Explorer.EXE 3168 Explorer.EXE 3168 Explorer.EXE 3340 c261fc3a 3340 c261fc3a 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3168 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 676 Process not Found 676 Process not Found 676 Process not Found -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4468 a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe Token: SeTcbPrivilege 4468 a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe Token: SeDebugPrivilege 3340 c261fc3a Token: SeTcbPrivilege 3340 c261fc3a Token: SeDebugPrivilege 3340 c261fc3a Token: SeDebugPrivilege 3168 Explorer.EXE Token: SeDebugPrivilege 3168 Explorer.EXE Token: SeIncBasePriorityPrivilege 4468 a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe Token: SeDebugPrivilege 3340 c261fc3a Token: SeDebugPrivilege 2064 aitstatic.exe Token: SeDebugPrivilege 2064 aitstatic.exe Token: SeDebugPrivilege 2064 aitstatic.exe Token: SeShutdownPrivilege 3168 Explorer.EXE Token: SeCreatePagefilePrivilege 3168 Explorer.EXE Token: SeIncBasePriorityPrivilege 3340 c261fc3a Token: SeDebugPrivilege 2064 aitstatic.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe 2064 aitstatic.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2064 aitstatic.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3168 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3340 wrote to memory of 3168 3340 c261fc3a 72 PID 3340 wrote to memory of 3168 3340 c261fc3a 72 PID 3340 wrote to memory of 3168 3340 c261fc3a 72 PID 3340 wrote to memory of 3168 3340 c261fc3a 72 PID 3340 wrote to memory of 3168 3340 c261fc3a 72 PID 3168 wrote to memory of 2064 3168 Explorer.EXE 92 PID 3168 wrote to memory of 2064 3168 Explorer.EXE 92 PID 3168 wrote to memory of 2064 3168 Explorer.EXE 92 PID 3168 wrote to memory of 2064 3168 Explorer.EXE 92 PID 3168 wrote to memory of 2064 3168 Explorer.EXE 92 PID 3168 wrote to memory of 2064 3168 Explorer.EXE 92 PID 3168 wrote to memory of 2064 3168 Explorer.EXE 92 PID 3340 wrote to memory of 628 3340 c261fc3a 3 PID 3340 wrote to memory of 628 3340 c261fc3a 3 PID 3340 wrote to memory of 628 3340 c261fc3a 3 PID 3340 wrote to memory of 628 3340 c261fc3a 3 PID 3340 wrote to memory of 628 3340 c261fc3a 3 PID 4468 wrote to memory of 5024 4468 a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe 95 PID 4468 wrote to memory of 5024 4468 a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe 95 PID 4468 wrote to memory of 5024 4468 a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe 95 PID 5024 wrote to memory of 4220 5024 cmd.exe 97 PID 5024 wrote to memory of 4220 5024 cmd.exe 97 PID 5024 wrote to memory of 4220 5024 cmd.exe 97 PID 3340 wrote to memory of 4460 3340 c261fc3a 102 PID 3340 wrote to memory of 4460 3340 c261fc3a 102 PID 3340 wrote to memory of 4460 3340 c261fc3a 102 PID 4460 wrote to memory of 4844 4460 cmd.exe 103 PID 4460 wrote to memory of 4844 4460 cmd.exe 103 PID 4460 wrote to memory of 4844 4460 cmd.exe 103 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72 PID 2064 wrote to memory of 3168 2064 aitstatic.exe 72
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:628
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\AppData\Local\Temp\a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe"C:\Users\Admin\AppData\Local\Temp\a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\a9d70cfd0e530d7fde83f53a7f1945f1a59995d17caab36141788d7074bc6d7b.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:4220
-
-
-
-
C:\Windows\Fonts\aitstatic.exe"C:\Windows\Fonts\aitstatic.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
-
-
C:\Windows\Syswow64\c261fc3aC:\Windows\Syswow64\c261fc3a1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\c261fc3a"2⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
PID:4844
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD564ed2d2c45644c1cd48904bf39e5e5f6
SHA1ddbb9fc71f4a4fcc478c40a3b8e4c87fce415317
SHA2566c21c0c38032da60fcb777cd1706d3630ec541a61d63bcc4c7a28a7008da16d4
SHA512a2b7a6d264e7a244e4974d7e1886d501e2de9f2bb1e55ad2a7eca61e65ac6badf648b12c3a00fc756e5063a298fe165f70dcaca2d7e0dd2a784606f871b18c60
-
Filesize
3.0MB
MD5bed148519984ca93328117d759fd0459
SHA1d9acf5921d9b887d3c1a76293aee13dd01e562af
SHA256632717c4cd7118045a362f229f870edc09d1e1ca1a838d0b331d51e1ac689d6c
SHA512b1fbfeea36b50085488b719285684ae9d4268137e59ef41c803930e09d6650ce9d892cd1e3ae4d7dee50fcb1d9857b3c67fbb03ebc9fa5b8887f670de09d76ea
-
Filesize
3.0MB
MD5bed148519984ca93328117d759fd0459
SHA1d9acf5921d9b887d3c1a76293aee13dd01e562af
SHA256632717c4cd7118045a362f229f870edc09d1e1ca1a838d0b331d51e1ac689d6c
SHA512b1fbfeea36b50085488b719285684ae9d4268137e59ef41c803930e09d6650ce9d892cd1e3ae4d7dee50fcb1d9857b3c67fbb03ebc9fa5b8887f670de09d76ea