Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 08:59
Static task
static1
Behavioral task
behavioral1
Sample
3eb0276a9cf9b5a8cfd6dc1eb40e9d0e_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3eb0276a9cf9b5a8cfd6dc1eb40e9d0e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240226-en
General
-
Target
3eb0276a9cf9b5a8cfd6dc1eb40e9d0e_JaffaCakes118.exe
-
Size
112KB
-
MD5
3eb0276a9cf9b5a8cfd6dc1eb40e9d0e
-
SHA1
b48d3aff019d76ad42f9a1cca05cb6c4c04bb6ab
-
SHA256
165f409d83fa740b9aee823cba0d5842e1362e256bd8d046fba139f0b4dc7290
-
SHA512
8fbb99391bdf3210723c5a27378d5578cfee90714e363e1eef029341276e7bc59175743341bfa0bda6d475edb51db0003885b2f503fe9ffa8bd1c918008b1940
-
SSDEEP
3072:kX7DItrfaocyTgfsqQOlJCeqgKJ+BCeyI1ztTI81j:ksaocyLCWgKiThth1j
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 3276 3eb0276a9cf9b5a8cfd6dc1eb40e9d0e_JaffaCakes118.exe 3276 3eb0276a9cf9b5a8cfd6dc1eb40e9d0e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4944 msedge.exe 4944 msedge.exe 2548 msedge.exe 2548 msedge.exe 3488 identity_helper.exe 3488 identity_helper.exe 2784 msedge.exe 2784 msedge.exe 2672 msedge.exe 2672 msedge.exe 2672 msedge.exe 2672 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe 2548 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3276 wrote to memory of 2548 3276 3eb0276a9cf9b5a8cfd6dc1eb40e9d0e_JaffaCakes118.exe 84 PID 3276 wrote to memory of 2548 3276 3eb0276a9cf9b5a8cfd6dc1eb40e9d0e_JaffaCakes118.exe 84 PID 2548 wrote to memory of 4572 2548 msedge.exe 85 PID 2548 wrote to memory of 4572 2548 msedge.exe 85 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4932 2548 msedge.exe 86 PID 2548 wrote to memory of 4944 2548 msedge.exe 87 PID 2548 wrote to memory of 4944 2548 msedge.exe 87 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88 PID 2548 wrote to memory of 2832 2548 msedge.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\3eb0276a9cf9b5a8cfd6dc1eb40e9d0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3eb0276a9cf9b5a8cfd6dc1eb40e9d0e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vgrom.com/engine/download.php?id=5262⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa37e46f8,0x7ffaa37e4708,0x7ffaa37e47183⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:23⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:83⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:13⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:13⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:83⤵PID:1460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:13⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:13⤵PID:2424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4884 /prefetch:83⤵PID:512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:13⤵PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:13⤵PID:664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:13⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7430780917966374524,15190747548629628667,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:208
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
6KB
MD5b8cd34876bfcf4ef648feb38ecce8990
SHA1927fabf5cf80eb370c3e05b9fec7044d1c7e8e56
SHA256f35b4d340fd43fc546d93a0099c33810c476eec9ca34d0b53424e1ba601c1a91
SHA5125a368dd532ae388459955ac28bad4ee1485c50cfdab4089f19c030a23e92b7e28622847a9fcb0193d0923d006c83c9e72d8dbf73e331c502334d3cf85a3be919
-
Filesize
6KB
MD56f2fbe18e2a522652981119481ad49f4
SHA1c321bacc6b6260012b365df13c429dbe3a75a0b7
SHA2564eb5eaa480d87cac2eddddfa55b86f183d38b651052ee774989601482aa2d607
SHA5129d42ce06c445c00185f44718b0b22879b1a732ef8e3cbe223ef278acba723f2223b61acfa1aebb56a037364d3291f59a6f06bd33bf696ea1ac75ba108fa70772
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD59257171d6a8311b77be6ef233119d635
SHA17a7c77769ed9d23bcb411267c9be7e55581b4603
SHA2564d1c30c6c85edf4ee69c1e9ee4a992e2832e8b93ae77a2a63216ec9dc119397e
SHA512c48a32336d46e448f32f38bdd2cb9b6050998268b27955982edd6ec5008fcccf333d234d61a5bfb91e50c350a414c0d67534fa3ec6380b3c20d0334e0ed8fc6c
-
Filesize
23KB
MD5a64b9c1f10a5434738f6efec8a1399c9
SHA1a66e15e4125cb358c1e1998ce393f9660e4f65bb
SHA2562d863a8cebd864ce51052984bd2031d37c9b022bb80c80ec0b1ca382160ae57b
SHA51253510079aff46a1b98ff7e0055288af2dce8ec3224fa5869fca4c29b33b26bad7bddecde0ded08a07e162d1bfbcca1120c0717a6156967f944567eeb99f942ee
-
Filesize
11KB
MD551b31092bc19fff637a4b0433b2bd36e
SHA1ed35222ff897af309ce25bd7a215c08e1188c6f2
SHA25604e9d5b91cf9782066ccd043cb1cc2e5eda08b8340cc98ea5786597669f8237c
SHA512c10535cd7a1dcb07eaa4975b329effe6e6563e9946f5ed4dfa42ad50c06f1ef038aeaf62868ebe7c13745328bf3bfd0a7430105683c7fa154a4cee4116df0e7a