Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 20:22
Static task
static1
Behavioral task
behavioral1
Sample
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
Resource
win10v2004-20240508-en
General
-
Target
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
-
Size
357KB
-
MD5
bcf80fd61a963f4569a0f11ab02c6572
-
SHA1
58194f80a70e08de6f074fc7843f414b7ed2de00
-
SHA256
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf
-
SHA512
412ed65291397134cb39823fcb2569c75d875b9b86571646850f50b3262491d31ae0336e1ab1e3d2de88e30050f92b7f2ec30315c6df686d58d6bd39204eb734
-
SSDEEP
6144:9VfjmN4shCYLrMTaN8wSEQKRzOALPmB3tl3HAO8fYkL1o:b7+4shC2N8wSEQKdjyBdRHy1o
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exee84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exepid process 4064 Logo1_.exe 704 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exedescription ioc process File opened for modification \??\PhysicalDrive0 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\View3d\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-TW\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Mail\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe File created C:\Windows\Logo1_.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\vDll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Logo1_.exepid process 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe 4064 Logo1_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exeLogo1_.exenet.execmd.exedescription pid process target process PID 3788 wrote to memory of 3604 3788 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe cmd.exe PID 3788 wrote to memory of 3604 3788 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe cmd.exe PID 3788 wrote to memory of 3604 3788 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe cmd.exe PID 3788 wrote to memory of 4064 3788 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe Logo1_.exe PID 3788 wrote to memory of 4064 3788 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe Logo1_.exe PID 3788 wrote to memory of 4064 3788 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe Logo1_.exe PID 4064 wrote to memory of 4784 4064 Logo1_.exe net.exe PID 4064 wrote to memory of 4784 4064 Logo1_.exe net.exe PID 4064 wrote to memory of 4784 4064 Logo1_.exe net.exe PID 4784 wrote to memory of 2700 4784 net.exe net1.exe PID 4784 wrote to memory of 2700 4784 net.exe net1.exe PID 4784 wrote to memory of 2700 4784 net.exe net1.exe PID 3604 wrote to memory of 704 3604 cmd.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe PID 3604 wrote to memory of 704 3604 cmd.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe PID 3604 wrote to memory of 704 3604 cmd.exe e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe PID 4064 wrote to memory of 3456 4064 Logo1_.exe Explorer.EXE PID 4064 wrote to memory of 3456 4064 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a686E.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:704 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5baf165adaab6392d033d7f32319cabcb
SHA1fa4b6413108c9b552b158ae614b63565509cece4
SHA256c134d2515194f237193d125b905c679da1fe6baef94e7449c93c7ed387ba66e6
SHA5120400ff9363143c589e5cf1172d6d4c971fd936de9e640d80e563b5e0136b772fa048497a0e6d79f51c02bf7b8ccda0d367180bf6cb91a35d9f21c320648c3a38
-
Filesize
570KB
MD5fb3c59046fa8058efaae6ca23bb72b5e
SHA1058b24d4ec5196094292851d146837757786ddd5
SHA2568f4cd343a9ff1968fc0286c995c5ce70e9b6a7ab08bb30b2be2878cabae30253
SHA5121d8da7f9a0b72d36601a1427563c539f0a05a2612c95c1dfe8fb6d391061a6d822880e98de53c9e6ca2b5c13fb709da6fecf7cab26d1fbf1b9885d69960620d0
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize636KB
MD52500f702e2b9632127c14e4eaae5d424
SHA18726fef12958265214eeb58001c995629834b13a
SHA25682e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c
-
Filesize
722B
MD5d17b37f6a249b875eecf1be016a1a4a0
SHA16c7e013982434019f6a56a4db2bca9c5fdb8d0c3
SHA256a769fbe3362982a3bcf07679259924b838e59cbcfa415be8960ec1ce0b26afbd
SHA512df469e55f59888a8f13a75784e17b39baa987732bde07ba90654f51d5a1d872fb1a09fa0bfcf780b245085b0f3f8787b8f7e8a84686a6a430c961f03647a4d6f
-
C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
Filesize331KB
MD525c40a58d31194af030d2856153fc490
SHA19361a68e4a5585c4f03026165d61f5f588515128
SHA256ea31aeb14e8542ea87d01839d10b4b8933ea5444af49c2536051d979bc924168
SHA5123b19c2642f235b3da033a84539339f0338a4fec0de5656e925bba7e7d505fb877d02b06c636b34bc45fd5e95271741eef6eceb91a14f8e684243bdbdeec12f32
-
Filesize
26KB
MD5c96a70874a471376780d70d7ad6b255a
SHA15b19ded6314cc223bac30dd4a1ee3041fa3cfa26
SHA2561ae40b73fe2ab7e5f0282d11052dff7e4eff746da740d0dd75f7468638b0b7ef
SHA5123a4d3a94f2535b3ce74bbd510119b0d99f37e888da05245d34482a5a76919b3e5c518a0445cf3098e9e443267250fbf339812d5315b70d34302a9131e5c00d88
-
Filesize
9B
MD51884bfdeea71ff22db39c196f4447c9c
SHA13eafc7e6e17ba6ce7a087a3588fb1efb596da038
SHA256163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d
SHA512b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2