Malware Analysis Report

2024-10-19 11:52

Sample ID 240414-1xxbfahe7s
Target 14e35051b91e2a62d75e96cdcf9fda203df9984d597bdbc97496a12b77d07f60.bin
SHA256 14e35051b91e2a62d75e96cdcf9fda203df9984d597bdbc97496a12b77d07f60
Tags
xloader_apk banker collection discovery evasion infostealer persistence stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14e35051b91e2a62d75e96cdcf9fda203df9984d597bdbc97496a12b77d07f60

Threat Level: Known bad

The file 14e35051b91e2a62d75e96cdcf9fda203df9984d597bdbc97496a12b77d07f60.bin was found to be: Known bad.

Malicious Activity Summary

xloader_apk banker collection discovery evasion infostealer persistence stealth trojan

XLoader payload

XLoader, MoqHao

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries account information for other applications stored on the device.

Queries the phone number (MSISDN for GSM devices)

Reads the content of the MMS message.

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 22:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 22:02

Reported

2024-04-14 22:11

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

156s

Command Line

jzts.xpgzq.kcdou

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/jzts.xpgzq.kcdou/files/dex N/A N/A
N/A /data/user/0/jzts.xpgzq.kcdou/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device.

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

jzts.xpgzq.kcdou

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.180.14:443 docs.google.com tcp
GB 142.250.180.14:443 docs.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/jzts.xpgzq.kcdou/files/dex

MD5 57284f2b1e742f6b49032b0700cb851a
SHA1 2807f37214f96682e43071794a9f12dbb41bb254
SHA256 e99e7f9f33d02afcdcd006dc5e9468527013e37897114bcc2bbf7f4464d93085
SHA512 dfee6fc0707173b1c0df4bc15372a0546f4f56800eb7db36ac36782a86557bc9b3c20f3d1b6044a0891addb601576e6e4c22aca4e6b52493cd69210e4eea1c9c

/storage/emulated/0/.msg_device_id.txt

MD5 8d76223c073200c20c38cc85614d7b00
SHA1 22d5a495009b7284facb3c718268ea2f9a31d93d
SHA256 5367e8f3cc7234e3dacedbb709021cf32f56a3d98dbde2ed1a90fceb40bcc323
SHA512 9cdaeb8e2a1dd6185fe14b3c60e52a1c3c306e267ecc7b730bc410ea65db6ec9ecd5879c6ebe96af777e1707765926d5dcb174e8bc7875f83b54bfa64857b8a9

/data/data/jzts.xpgzq.kcdou/files/oat/dex.cur.prof

MD5 b8098184768fa434247ad3e0610461d4
SHA1 57cb1d14bc9f1f8d54f69665b175b84b4fe549ff
SHA256 72484a8483c8c43ef818d764ac4f318ca4bc5cd7210791c575a5e1eb85d4bca4
SHA512 5d93cf234c6b405f177df13c138a8c7e4055db13005172aaa6ae2df45981fffcefebdecf5efc2a23299e851f485d1463489e7875d203822de8288df70e70aca9

/data/data/jzts.xpgzq.kcdou/files/oat/dex.cur.prof

MD5 bac010bdb0d7d3af4e8aee6920ad1bf8
SHA1 253654dde808098b6ccb50ddac4b4e19cfdccdd2
SHA256 808bbcaa5aa5576bf0e4b4497838efa8106a5c2fe82838da04a3df3124eec829
SHA512 afa5f2bc13e4c7b17a85be5ecebaa65095c244e1e4251a3d0d5ef7304767dd66327ff2679babd0e3e68443eeb2be82e237b35289dc85e5093a3dfd0ed6dea698

/data/data/jzts.xpgzq.kcdou/files/oat/dex.cur.prof

MD5 4ed626348d136695a0882acf10d9865e
SHA1 d060173abb6579bdf9953d2e005385d31aeee68e
SHA256 e2cf6245ae4b407e58534a6c464ab197abd1d14d585b2304c7b850da47374485
SHA512 d3af4c75b38e82b641cbcba08a9ae8f46dc6330266c316d0a537dc779415c6b58bac29225e44bf1feba124f4ca865a96984892b399f64fa14564ce5dda59a4bc

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 22:02

Reported

2024-04-14 22:11

Platform

android-x64-20240221-en

Max time kernel

150s

Max time network

156s

Command Line

jzts.xpgzq.kcdou

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/jzts.xpgzq.kcdou/files/dex N/A N/A
N/A /data/user/0/jzts.xpgzq.kcdou/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device.

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

jzts.xpgzq.kcdou

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 docs.google.com udp
GB 142.250.187.238:443 docs.google.com tcp
GB 142.250.187.238:443 docs.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/data/jzts.xpgzq.kcdou/files/dex

MD5 57284f2b1e742f6b49032b0700cb851a
SHA1 2807f37214f96682e43071794a9f12dbb41bb254
SHA256 e99e7f9f33d02afcdcd006dc5e9468527013e37897114bcc2bbf7f4464d93085
SHA512 dfee6fc0707173b1c0df4bc15372a0546f4f56800eb7db36ac36782a86557bc9b3c20f3d1b6044a0891addb601576e6e4c22aca4e6b52493cd69210e4eea1c9c

/storage/emulated/0/.msg_device_id.txt

MD5 7978889ad2d0b2fcabafbb2a67fe6896
SHA1 b6348b576d635b73fd636e3ee021ab6a8a67ae18
SHA256 790035a7f66e4e44d5fac9bb006b79b93c91302ca94c1fe46b22f4494be2f6a2
SHA512 801c3d29751966e5d4620fd139e6c4f6b05d37e08158d28b82a7013be366ff2e804f7403d5bdcbfea675dc96cc07354a41c772d3bf36db87192893293a512736

/data/data/jzts.xpgzq.kcdou/files/oat/dex.cur.prof

MD5 87321e61b6203de1e31e69f6bffff682
SHA1 ffeb105269d2fef4d10dcece0f9695aa0ab15aca
SHA256 b32b12003bf82299692e2f637b6c0b3d9538c676829143646de79881d642c8ab
SHA512 5ddfcf948087c4f673e165d0f77d3dc74971a165b69dff277f5bc7187869b56a61ccdabc83f20e3c25461e9e786e5cb4bdbe4ea7fa840dae5de40ee11afd051f

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-14 22:02

Reported

2024-04-14 22:11

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

157s

Command Line

jzts.xpgzq.kcdou

Signatures

XLoader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XLoader, MoqHao

trojan infostealer banker xloader_apk

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/jzts.xpgzq.kcdou/files/dex N/A N/A
N/A /data/user/0/jzts.xpgzq.kcdou/files/dex N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries account information for other applications stored on the device.

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the MMS message.

collection
Description Indicator Process Target
URI accessed for read content://mms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

jzts.xpgzq.kcdou

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 docs.google.com udp
GB 172.217.16.238:443 docs.google.com tcp
GB 172.217.16.238:443 docs.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp
KR 91.204.227.39:28844 tcp

Files

/data/user/0/jzts.xpgzq.kcdou/files/dex

MD5 57284f2b1e742f6b49032b0700cb851a
SHA1 2807f37214f96682e43071794a9f12dbb41bb254
SHA256 e99e7f9f33d02afcdcd006dc5e9468527013e37897114bcc2bbf7f4464d93085
SHA512 dfee6fc0707173b1c0df4bc15372a0546f4f56800eb7db36ac36782a86557bc9b3c20f3d1b6044a0891addb601576e6e4c22aca4e6b52493cd69210e4eea1c9c

/storage/emulated/0/.msg_device_id.txt

MD5 49ffd1828a7fb0f9d8d9fc23731f9d5f
SHA1 47e6c45002bd8f479e942db15c96511d742e466b
SHA256 ee909bb55678a0d6b10bc63fb8fdcd5dd349646e0177fd6589f17364aa4f4187
SHA512 475c6b48d77b39688103c8417e3218bd1c5501d43e4634b88d0f540986082d78611e809dcdc0e53aef93ddd8914a9443dc4deef5be421d3526f7745c7dae0a3d

/data/user/0/jzts.xpgzq.kcdou/files/oat/dex.cur.prof

MD5 25039841a278ac614b560cb825699a34
SHA1 ea1c699fde04f611231ad5a0316c8a45847a3c2c
SHA256 b17d65285fd15533906cb4c16babe51e49a5ae00b12ad72cfd51eea40f22bcc0
SHA512 0f847d1766bd8b90d0ce4a7da486b9019e7bebdbb4f166ea6141a4d9cdb63d5fc3a9d0c293ace679f5aa541038b66ec791717dfeec752e7ec3b5eb26f77e98dd