Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:42
Behavioral task
behavioral1
Sample
62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe
-
Size
208KB
-
MD5
62b0a704ff4299bb89933ba9dd71f070
-
SHA1
5dbaf86ff56491dc813d8b752fd51c5b57059cc2
-
SHA256
ab391beb27aabd848c1fe20defa1086c5abbd528955a0cfd7eb1d1c79c107d5c
-
SHA512
7672e07b79da39acb1d09af62d2e4f711ba3bf42077898a3ed6daed65fd7af492d9d6b5d31f6f893862fe91a432f8d26665cb8fcb3b88b3ddb20cc46e6bcf1ec
-
SSDEEP
6144:4q6QJoRQpJGbcDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55KmC:42feChtMtkM71r1MSXqPix55Kx
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnagjbdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcplhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Idceea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcifgjgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnagjbdf.exe -
Malware Dropper & Backdoor - Berbew 9 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001340b-5.dat family_berbew behavioral1/files/0x0008000000015d87-20.dat family_berbew behavioral1/files/0x0007000000015e3a-39.dat family_berbew behavioral1/files/0x0007000000015f6d-46.dat family_berbew behavioral1/memory/2508-53-0x0000000000440000-0x0000000000476000-memory.dmp family_berbew behavioral1/files/0x0009000000016117-60.dat family_berbew behavioral1/memory/2508-55-0x0000000000440000-0x0000000000476000-memory.dmp family_berbew behavioral1/files/0x0006000000016d3a-74.dat family_berbew behavioral1/files/0x0006000000016d90-87.dat family_berbew -
Executes dropped EXE 7 IoCs
pid Process 2784 Hcifgjgc.exe 2584 Hnojdcfi.exe 2508 Hnagjbdf.exe 2716 Hlfdkoin.exe 2372 Hcplhi32.exe 2292 Idceea32.exe 1484 Iagfoe32.exe -
Loads dropped DLL 18 IoCs
pid Process 2188 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe 2188 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe 2784 Hcifgjgc.exe 2784 Hcifgjgc.exe 2584 Hnojdcfi.exe 2584 Hnojdcfi.exe 2508 Hnagjbdf.exe 2508 Hnagjbdf.exe 2716 Hlfdkoin.exe 2716 Hlfdkoin.exe 2372 Hcplhi32.exe 2372 Hcplhi32.exe 2292 Idceea32.exe 2292 Idceea32.exe 2444 WerFault.exe 2444 WerFault.exe 2444 WerFault.exe 2444 WerFault.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hlfdkoin.exe Hnagjbdf.exe File opened for modification C:\Windows\SysWOW64\Hlfdkoin.exe Hnagjbdf.exe File created C:\Windows\SysWOW64\Pqiqnfej.dll Hcplhi32.exe File created C:\Windows\SysWOW64\Hcifgjgc.exe 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Hcifgjgc.exe 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Odpegjpg.dll Hcifgjgc.exe File created C:\Windows\SysWOW64\Hnagjbdf.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Enlbgc32.dll Hnojdcfi.exe File created C:\Windows\SysWOW64\Gjenmobn.dll Idceea32.exe File created C:\Windows\SysWOW64\Fealjk32.dll 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Hnojdcfi.exe Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Hnagjbdf.exe Hnojdcfi.exe File created C:\Windows\SysWOW64\Idceea32.exe Hcplhi32.exe File opened for modification C:\Windows\SysWOW64\Iagfoe32.exe Idceea32.exe File created C:\Windows\SysWOW64\Oiogaqdb.dll Hnagjbdf.exe File created C:\Windows\SysWOW64\Hcplhi32.exe Hlfdkoin.exe File opened for modification C:\Windows\SysWOW64\Hnojdcfi.exe Hcifgjgc.exe File opened for modification C:\Windows\SysWOW64\Hcplhi32.exe Hlfdkoin.exe File created C:\Windows\SysWOW64\Lponfjoo.dll Hlfdkoin.exe File opened for modification C:\Windows\SysWOW64\Idceea32.exe Hcplhi32.exe File created C:\Windows\SysWOW64\Iagfoe32.exe Idceea32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2444 1484 WerFault.exe 34 -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll" 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll" Hnojdcfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll" Hnagjbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnojdcfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hlfdkoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll" Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll" Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcifgjgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll" Hcifgjgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hlfdkoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcplhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcplhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Idceea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnagjbdf.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2784 2188 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2784 2188 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2784 2188 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe 28 PID 2188 wrote to memory of 2784 2188 62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe 28 PID 2784 wrote to memory of 2584 2784 Hcifgjgc.exe 29 PID 2784 wrote to memory of 2584 2784 Hcifgjgc.exe 29 PID 2784 wrote to memory of 2584 2784 Hcifgjgc.exe 29 PID 2784 wrote to memory of 2584 2784 Hcifgjgc.exe 29 PID 2584 wrote to memory of 2508 2584 Hnojdcfi.exe 30 PID 2584 wrote to memory of 2508 2584 Hnojdcfi.exe 30 PID 2584 wrote to memory of 2508 2584 Hnojdcfi.exe 30 PID 2584 wrote to memory of 2508 2584 Hnojdcfi.exe 30 PID 2508 wrote to memory of 2716 2508 Hnagjbdf.exe 31 PID 2508 wrote to memory of 2716 2508 Hnagjbdf.exe 31 PID 2508 wrote to memory of 2716 2508 Hnagjbdf.exe 31 PID 2508 wrote to memory of 2716 2508 Hnagjbdf.exe 31 PID 2716 wrote to memory of 2372 2716 Hlfdkoin.exe 32 PID 2716 wrote to memory of 2372 2716 Hlfdkoin.exe 32 PID 2716 wrote to memory of 2372 2716 Hlfdkoin.exe 32 PID 2716 wrote to memory of 2372 2716 Hlfdkoin.exe 32 PID 2372 wrote to memory of 2292 2372 Hcplhi32.exe 33 PID 2372 wrote to memory of 2292 2372 Hcplhi32.exe 33 PID 2372 wrote to memory of 2292 2372 Hcplhi32.exe 33 PID 2372 wrote to memory of 2292 2372 Hcplhi32.exe 33 PID 2292 wrote to memory of 1484 2292 Idceea32.exe 34 PID 2292 wrote to memory of 1484 2292 Idceea32.exe 34 PID 2292 wrote to memory of 1484 2292 Idceea32.exe 34 PID 2292 wrote to memory of 1484 2292 Idceea32.exe 34 PID 1484 wrote to memory of 2444 1484 Iagfoe32.exe 35 PID 1484 wrote to memory of 2444 1484 Iagfoe32.exe 35 PID 1484 wrote to memory of 2444 1484 Iagfoe32.exe 35 PID 1484 wrote to memory of 2444 1484 Iagfoe32.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Hnojdcfi.exeC:\Windows\system32\Hnojdcfi.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Hnagjbdf.exeC:\Windows\system32\Hnagjbdf.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Hcplhi32.exeC:\Windows\system32\Hcplhi32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Iagfoe32.exeC:\Windows\system32\Iagfoe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1409⤵
- Loads dropped DLL
- Program crash
PID:2444
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD58fec4eb17ef66085a352531b91fe997e
SHA1ced57ba029e646f8173a4359f9a19c22cc0e2816
SHA256cdf2ab89e9d7fcea46f02a951ccc693c33a99b0ef25a3bf457644b424efc1ff7
SHA512bd47971d69176b81c5064350bb7d6dab2a4cea2a5630889be45f2fc87016f13829ee7f1167e328739172f4c39ab141de0a8d82d5de2b11768847d548dcf6d593
-
Filesize
7KB
MD53fa562c9b6ae626da3fda006c5fe2995
SHA198201dd3c5fb1ffef5318f31a64dcb98198de2af
SHA2566b1004da3595ff423c8af3a630564461df692b4bd6a4bcbbe0329b068e7a656b
SHA512440ce95964333d107ba46277a7cfb3c8d7136617732d1c7c77df8f60fc72c838bc899a1453c75785323b086ce5a70f3673ba4dca48f97005143d5aed8f915895
-
Filesize
208KB
MD5241d4a8eed9c13a17abe8358ecc21621
SHA16f9ff78ec54c7ef8773640edb4c785f62b4d1aa0
SHA2569367bfa4323c722ec443c12b1946d070bf386a7432725871bb8b9855d4de6d40
SHA512c37373b5e2b811ae6fbaf840965b17f9fda23aca9b18bc35e2f66f3ca5aa683bc4dfa9ff7ea06ac59b86da471719d5bac250186eaa4f44fb13ab7556ea735a9b
-
Filesize
208KB
MD5a017216176aa766ce8492c171c548f08
SHA15dba72d7119ab1f71b5b4a29e5f1358b920f569c
SHA256e8267d22756e4022a53c667fe146372b9c234f964133f02bee3bd07099c99445
SHA5128699c9b459296d91ed25e19b48f8631d32be31b6a627373a0a51a691193080bc71e4141dbe6f06a465ee7ff3039be32407c39bff7e4fd8ed26b1ac078c7b252b
-
Filesize
208KB
MD5c98c03a9db277d5939d3dc2ee196484b
SHA14109f107eaebb93c706a537aeecbca8f0a827ecb
SHA25692e109095740db8d09e067b792fe594a162e376364c333e2c4a313a7c451c82d
SHA51200c27a4beea56a93eaf9f8fab237aa1c65c7cf77fd380101b34fe4893af3ee44a4e2aadc7d71c56c27c39da4b66e61c89fbe332f9ddc801a93f47183686a9195
-
Filesize
208KB
MD5e4eaa09d0fba28021a9945ab6cab4b0a
SHA1f81ace0500fbff6dce96f24856d604701399ca14
SHA256399973a9ecaa8a8c6f43c7e172a3ed5217a61c911616bf66e9c6e4e9cd2a411a
SHA51277a12b5e437eadbe49c3e687e4ed4597dfdf4d6443e0b9e004170d18a43cc0cf728e125f31546d71fdacb7915c3e62f5e46bb6bf367bfce0d598021188a50657
-
Filesize
208KB
MD57736eef8375042f58d2041469b9e2540
SHA17f9eb86643729c12fd4b45ed4bcc166ed46c6172
SHA2565520cc61e23b3f7dfe9b86f97b45522f69cdfc342e116fe73b2009a4ab0c1093
SHA512730eace5cba043c34090b63c3877484dfcf67103d4a878939bb939388f1ce01038e567632ba3510bbeebaf1ee64999ddab9a0d5ae3ac39f03f55a44df70b0f45
-
Filesize
208KB
MD5ac33384e370afd97f546b9f50a185807
SHA11a3c811defd12f967b48f2336f318c8c3bb6a120
SHA25693f5066705ad78d5fbec8b2fd40af7328dc546622c10d2caad03d2c9c5734c0a
SHA51214a73e4a1a45b9d993c7d6139e4fd652a1fb80687c80707af3251ab21315d555d1dcd1e8fc8bddebc2a535955db456fbd992f2a68e2a875fbd5878982fcf53e4