Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03/10/2023, 11:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
General
-
Target
file.exe
-
Size
876KB
-
MD5
017a82da7f811fc92a57a3b630c246e3
-
SHA1
0e411d8bdc009d3fd50f9983a0ca9c7d62fd8c72
-
SHA256
bde70ac579d1b9ce2d8bef8c8023debec0ca1a0e3cac07ea465e25b32aa0602a
-
SHA512
2d4932aa837920d66241cd422617dbbde3e2733d8874d5757687a44716321f3df12fc4620dea22a8556d12427e70239a4e210e1e3fd0870b831ada92d703a5a9
-
SSDEEP
12288:gMrfy90VY+asDkUK5UswGw6q8UJMT07e4sYuKgeAf2vFKgfheaz4ZxZWhMt5otF6:Pyb+ZDk9U3Mie4sQjf4ZxZWhntmB
Malware Config
Signatures
-
Detects Healer an antivirus disabler dropper 4 IoCs
resource yara_rule behavioral1/files/0x0007000000016267-34.dat healer behavioral1/files/0x0007000000016267-36.dat healer behavioral1/files/0x0007000000016267-37.dat healer behavioral1/memory/2708-38-0x0000000000CB0000-0x0000000000CBA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1oe84jq1.exe -
Executes dropped EXE 5 IoCs
pid Process 1016 us4DK37.exe 1720 mR1ZW65.exe 2608 Xp2LI48.exe 2708 1oe84jq1.exe 900 2AV3412.exe -
Loads dropped DLL 13 IoCs
pid Process 2484 file.exe 1016 us4DK37.exe 1016 us4DK37.exe 1720 mR1ZW65.exe 1720 mR1ZW65.exe 2608 Xp2LI48.exe 2608 Xp2LI48.exe 2608 Xp2LI48.exe 900 2AV3412.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe 2732 WerFault.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1oe84jq1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features 1oe84jq1.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" us4DK37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" mR1ZW65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Xp2LI48.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 900 set thread context of 2948 900 2AV3412.exe 34 -
Program crash 2 IoCs
pid pid_target Process procid_target 2628 2948 WerFault.exe 34 2732 900 WerFault.exe 32 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2708 1oe84jq1.exe 2708 1oe84jq1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2708 1oe84jq1.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2484 wrote to memory of 1016 2484 file.exe 28 PID 2484 wrote to memory of 1016 2484 file.exe 28 PID 2484 wrote to memory of 1016 2484 file.exe 28 PID 2484 wrote to memory of 1016 2484 file.exe 28 PID 2484 wrote to memory of 1016 2484 file.exe 28 PID 2484 wrote to memory of 1016 2484 file.exe 28 PID 2484 wrote to memory of 1016 2484 file.exe 28 PID 1016 wrote to memory of 1720 1016 us4DK37.exe 29 PID 1016 wrote to memory of 1720 1016 us4DK37.exe 29 PID 1016 wrote to memory of 1720 1016 us4DK37.exe 29 PID 1016 wrote to memory of 1720 1016 us4DK37.exe 29 PID 1016 wrote to memory of 1720 1016 us4DK37.exe 29 PID 1016 wrote to memory of 1720 1016 us4DK37.exe 29 PID 1016 wrote to memory of 1720 1016 us4DK37.exe 29 PID 1720 wrote to memory of 2608 1720 mR1ZW65.exe 30 PID 1720 wrote to memory of 2608 1720 mR1ZW65.exe 30 PID 1720 wrote to memory of 2608 1720 mR1ZW65.exe 30 PID 1720 wrote to memory of 2608 1720 mR1ZW65.exe 30 PID 1720 wrote to memory of 2608 1720 mR1ZW65.exe 30 PID 1720 wrote to memory of 2608 1720 mR1ZW65.exe 30 PID 1720 wrote to memory of 2608 1720 mR1ZW65.exe 30 PID 2608 wrote to memory of 2708 2608 Xp2LI48.exe 31 PID 2608 wrote to memory of 2708 2608 Xp2LI48.exe 31 PID 2608 wrote to memory of 2708 2608 Xp2LI48.exe 31 PID 2608 wrote to memory of 2708 2608 Xp2LI48.exe 31 PID 2608 wrote to memory of 2708 2608 Xp2LI48.exe 31 PID 2608 wrote to memory of 2708 2608 Xp2LI48.exe 31 PID 2608 wrote to memory of 2708 2608 Xp2LI48.exe 31 PID 2608 wrote to memory of 900 2608 Xp2LI48.exe 32 PID 2608 wrote to memory of 900 2608 Xp2LI48.exe 32 PID 2608 wrote to memory of 900 2608 Xp2LI48.exe 32 PID 2608 wrote to memory of 900 2608 Xp2LI48.exe 32 PID 2608 wrote to memory of 900 2608 Xp2LI48.exe 32 PID 2608 wrote to memory of 900 2608 Xp2LI48.exe 32 PID 2608 wrote to memory of 900 2608 Xp2LI48.exe 32 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2948 900 2AV3412.exe 34 PID 900 wrote to memory of 2732 900 2AV3412.exe 36 PID 900 wrote to memory of 2732 900 2AV3412.exe 36 PID 900 wrote to memory of 2732 900 2AV3412.exe 36 PID 2948 wrote to memory of 2628 2948 AppLaunch.exe 35 PID 900 wrote to memory of 2732 900 2AV3412.exe 36 PID 2948 wrote to memory of 2628 2948 AppLaunch.exe 35 PID 900 wrote to memory of 2732 900 2AV3412.exe 36 PID 2948 wrote to memory of 2628 2948 AppLaunch.exe 35 PID 900 wrote to memory of 2732 900 2AV3412.exe 36 PID 900 wrote to memory of 2732 900 2AV3412.exe 36 PID 2948 wrote to memory of 2628 2948 AppLaunch.exe 35 PID 2948 wrote to memory of 2628 2948 AppLaunch.exe 35 PID 2948 wrote to memory of 2628 2948 AppLaunch.exe 35 PID 2948 wrote to memory of 2628 2948 AppLaunch.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 2687⤵
- Program crash
PID:2628
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 2846⤵
- Loads dropped DLL
- Program crash
PID:2732
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
737KB
MD50f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA51268c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5
-
Filesize
737KB
MD50f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA51268c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5
-
Filesize
490KB
MD5eaf5703824f4cd6826d0b72d5d4858be
SHA1ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA2561eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105
-
Filesize
490KB
MD5eaf5703824f4cd6826d0b72d5d4858be
SHA1ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA2561eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105
-
Filesize
293KB
MD5270fed371af6acb335e5177f1d654d85
SHA1c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA51228a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53
-
Filesize
293KB
MD5270fed371af6acb335e5177f1d654d85
SHA1c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA51228a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53
-
Filesize
12KB
MD58d04e032bc6ad6b3ba2b7998e65e6f13
SHA166c8a49b5597f8fdab0bbe708c0335f85ef19986
SHA25690ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf
SHA512efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3
-
Filesize
12KB
MD58d04e032bc6ad6b3ba2b7998e65e6f13
SHA166c8a49b5597f8fdab0bbe708c0335f85ef19986
SHA25690ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf
SHA512efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3
-
Filesize
285KB
MD5890f04e0a2f7f9b29f432ae5d7829143
SHA1ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA5120479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b
-
Filesize
285KB
MD5890f04e0a2f7f9b29f432ae5d7829143
SHA1ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA5120479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b
-
Filesize
737KB
MD50f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA51268c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5
-
Filesize
737KB
MD50f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA51268c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5
-
Filesize
490KB
MD5eaf5703824f4cd6826d0b72d5d4858be
SHA1ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA2561eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105
-
Filesize
490KB
MD5eaf5703824f4cd6826d0b72d5d4858be
SHA1ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA2561eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105
-
Filesize
293KB
MD5270fed371af6acb335e5177f1d654d85
SHA1c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA51228a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53
-
Filesize
293KB
MD5270fed371af6acb335e5177f1d654d85
SHA1c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA51228a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53
-
Filesize
12KB
MD58d04e032bc6ad6b3ba2b7998e65e6f13
SHA166c8a49b5597f8fdab0bbe708c0335f85ef19986
SHA25690ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf
SHA512efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3
-
Filesize
285KB
MD5890f04e0a2f7f9b29f432ae5d7829143
SHA1ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA5120479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b
-
Filesize
285KB
MD5890f04e0a2f7f9b29f432ae5d7829143
SHA1ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA5120479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b
-
Filesize
285KB
MD5890f04e0a2f7f9b29f432ae5d7829143
SHA1ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA5120479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b
-
Filesize
285KB
MD5890f04e0a2f7f9b29f432ae5d7829143
SHA1ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA5120479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b
-
Filesize
285KB
MD5890f04e0a2f7f9b29f432ae5d7829143
SHA1ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA5120479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b
-
Filesize
285KB
MD5890f04e0a2f7f9b29f432ae5d7829143
SHA1ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA5120479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b