Analysis
-
max time kernel
77s -
max time network
74s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/06/2024, 22:22
Behavioral task
behavioral1
Sample
voda.exe
Resource
win11-20240508-en
windows11-21h2-x64
27 signatures
150 seconds
General
-
Target
voda.exe
-
Size
3.4MB
-
MD5
d69e750cc8c091f0b64bbcc41e1a121b
-
SHA1
36b4a5402a1c29de746d3ef61662dfb60237bf31
-
SHA256
e6a583eed8c709ab5db6c149c039a14abbf4af95d5b35590b318cf3e44b88868
-
SHA512
79903a6be303d1893c3bc492d3b6f2859ccfce2d798c3fff1d4dec2105083046b638e0a3ac69bfe6811d9a2a9687b2a3180667167c0425eac6bf9327793b8bc7
-
SSDEEP
98304:csMeWq8s0Ic7b09uEQX0AxR6myL4pvS+96nZkC+Y:BMa8fMsE8bxQmOG6B
Malware Config
Extracted
Family
risepro
C2
77.91.77.66:58709
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ voda.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RageMP131.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RageMP131.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RageMP131.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RageMP131.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RageMP131.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RageMP131.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RageMP131.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RageMP131.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion voda.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion voda.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RageMP131.exe -
Executes dropped EXE 3 IoCs
pid Process 1632 RageMP131.exe 1368 RageMP131.exe 2728 RageMP131.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/816-0-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/816-1-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/816-2-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/816-3-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/files/0x000300000002a9e6-83.dat themida behavioral1/memory/816-84-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/1632-88-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/1632-89-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/1632-90-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/1632-87-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/1632-94-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/1368-97-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/1368-99-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/1368-98-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/1368-96-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/1368-102-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/2728-105-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/2728-106-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/2728-107-0x0000000000400000-0x0000000000C61000-memory.dmp themida behavioral1/memory/2728-110-0x0000000000400000-0x0000000000C61000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 voda.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 voda.exe Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 voda.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe" voda.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RageMP131.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RageMP131.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RageMP131.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA voda.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ipinfo.io 14 ipinfo.io 16 ipinfo.io 24 ipinfo.io 2 ipinfo.io 3 ipinfo.io 10 ipinfo.io -
Program crash 1 IoCs
pid pid_target Process procid_target 432 816 WerFault.exe 76 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 voda.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString voda.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Control Panel\International\TzNotification SystemSettingsAdminFlows.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\International\TzNotification\PreviousTzChange SystemSettingsAdminFlows.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4808 schtasks.exe 2008 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 816 voda.exe 816 voda.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3456 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3456 taskmgr.exe Token: SeSystemProfilePrivilege 3456 taskmgr.exe Token: SeCreateGlobalPrivilege 3456 taskmgr.exe Token: SeSystemtimePrivilege 4864 SystemSettingsAdminFlows.exe Token: SeSystemtimePrivilege 4864 SystemSettingsAdminFlows.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe 3456 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4864 SystemSettingsAdminFlows.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 816 wrote to memory of 4808 816 voda.exe 77 PID 816 wrote to memory of 4808 816 voda.exe 77 PID 816 wrote to memory of 4808 816 voda.exe 77 PID 816 wrote to memory of 2008 816 voda.exe 79 PID 816 wrote to memory of 2008 816 voda.exe 79 PID 816 wrote to memory of 2008 816 voda.exe 79 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 voda.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 voda.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\voda.exe"C:\Users\Admin\AppData\Local\Temp\voda.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:816 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:4808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:2008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 14722⤵
- Program crash
PID:432
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 816 -ip 8161⤵PID:4488
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1444
-
C:\Users\Admin\AppData\Local\RageMP131\RageMP131.exe"C:\Users\Admin\AppData\Local\RageMP131\RageMP131.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1632
-
C:\Users\Admin\AppData\Local\RageMP131\RageMP131.exe"C:\Users\Admin\AppData\Local\RageMP131\RageMP131.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3876
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 01⤵
- Modifies data under HKEY_USERS
PID:5116
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4864
-
C:\Users\Admin\AppData\Local\RageMP131\RageMP131.exe"C:\Users\Admin\AppData\Local\RageMP131\RageMP131.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5d69e750cc8c091f0b64bbcc41e1a121b
SHA136b4a5402a1c29de746d3ef61662dfb60237bf31
SHA256e6a583eed8c709ab5db6c149c039a14abbf4af95d5b35590b318cf3e44b88868
SHA51279903a6be303d1893c3bc492d3b6f2859ccfce2d798c3fff1d4dec2105083046b638e0a3ac69bfe6811d9a2a9687b2a3180667167c0425eac6bf9327793b8bc7
-
Filesize
13B
MD50d8e7f07c0cae46662fcbf8114cc17ce
SHA1fda9c917fe789fa4c978f313461dff17eadf0bc7
SHA256b779c6bdd3d3275b7e3d04de899352e8ea81ee9a48812c7af5705b111e1f57da
SHA512165d53244b197a2fe3a4ee4922b0ea2663ab9e79101f4dc23280401885da24d7a1a14bb7f5942dcf1c5f38fa1fca00d29d928176b7ab7657f0b989e53e1eafcb
-
Filesize
13B
MD5ea702dc98d8a98eb0ff15e95eb15a249
SHA17e2163c2dbd009aa9732f58a3735152aa9c71437
SHA2564542dd2bda32a5364c85188954d21b8cfa81e505091cca75d25c15a4e58fee53
SHA512141c683313987a2affe2bf940cbbe7009bd34a211e6ed3dd3649c3e55d2812bf615d33100c52fddf42192d8b563141e883c4bf34a3a0e3a0e34f1a6a179d38e1
-
Filesize
13B
MD5639ad5199e237c0cf957cfd967951133
SHA176a1773d0e8f1f3ea493e3938bced4bdec2210cd
SHA256a5bfb2ed19f28ae2e03a057ff86774317cbca39e5e55e96413e9b096ff74a2be
SHA512f7f052477532ce7fd8f2a9776fe0016f74a9beb06e7fd3a16dab9283a7fee1c7ec377cb5f7ba0b18f3948513ed0ef6e2dd76abc006a3d1d4284ab1acff5c6c0d
-
Filesize
100KB
MD5b7fb0191ebf0b9664946fde8ce05f242
SHA1c5c6f3203736acded506b9e62bf396b9cf47b7f6
SHA25618d53aa73bceb8ad6bb85aae908021a335d02852ad332d57d4cdf667dc60c0f2
SHA5120c07842b435f9ff6c98c09d680d0b573a19d764fadaa29cd90e82571970dda505c3a2c43b2c2c204817dfb067a5bf8c41a5fc262daacd3d203ac0970c6508048
-
Filesize
112KB
MD587210e9e528a4ddb09c6b671937c79c6
SHA13c75314714619f5b55e25769e0985d497f0062f2
SHA256eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0