Malware Analysis Report

2024-08-06 14:18

Sample ID 240619-xnt8ya1hmq
Target 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118
SHA256 dc9b0fde10b71811649cacff9df5f4dd3ae6bdad9c0a15a61a08307b3ef85ae9
Tags
modiloader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc9b0fde10b71811649cacff9df5f4dd3ae6bdad9c0a15a61a08307b3ef85ae9

Threat Level: Known bad

The file 0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader trojan

ModiLoader Second Stage

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

Deletes itself

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 19:00

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 19:00

Reported

2024-06-19 19:02

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WINSYS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File created F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SgotoDel.bat C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\WINSYS.exe C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WINSYS.exe C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WINSYS.exe C:\Windows\SysWOW64\WINSYS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\WINSYS.exe
PID 2924 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\WINSYS.exe
PID 2924 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\WINSYS.exe
PID 2924 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\WINSYS.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2924 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe"

C:\Windows\SysWOW64\WINSYS.exe

C:\Windows\system32\WINSYS.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\system32\SgotoDel.bat

Network

N/A

Files

memory/2924-4-0x00000000001F0000-0x00000000001F1000-memory.dmp

F:\WINSYS.exe

MD5 0011ab6aa3a9e60818f1f9ed52ad2ba4
SHA1 2f02682435f4cca4db253ce5cf62681e1fcdaac4
SHA256 dc9b0fde10b71811649cacff9df5f4dd3ae6bdad9c0a15a61a08307b3ef85ae9
SHA512 6dca42276c2f2e4a5f572cb0ce99641a134a7b19f0a8bb4e319f23bf5aca7deccfcb5090a150f041b6b55324a590d29dc76e5a6b698c1e77cc6a52a67eda40d0

memory/2444-19-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Windows\SysWOW64\SgotoDel.bat

MD5 5b053b7070308a45bd73a0dec287e9a5
SHA1 e0d0d334e01600823acab55ba2a2fae361628222
SHA256 977cc3a8e8af5da50b463841f7b8ce81dd05b07ed7959b98dde00d70cd293097
SHA512 64c1778e97d4a3f39f26b5bd82d7e4bfbf038cd61a7a2c766d3a77c8872703b53619c7a70d9948416e899fd2845d22b9487f52e153f824942b599c5ed5171880

memory/2924-27-0x0000000000400000-0x00000000004BF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 19:00

Reported

2024-06-19 19:03

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WINSYS.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File created F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened for modification F:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File created C:\AutoRun.inf C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WINSYS.exe C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WINSYS.exe C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\WINSYS.exe C:\Windows\SysWOW64\WINSYS.exe N/A
File created C:\Windows\SysWOW64\SgotoDel.bat C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3748 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\WINSYS.exe
PID 3748 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\WINSYS.exe
PID 3748 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\WINSYS.exe
PID 3748 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0011ab6aa3a9e60818f1f9ed52ad2ba4_JaffaCakes118.exe"

C:\Windows\SysWOW64\WINSYS.exe

C:\Windows\system32\WINSYS.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\system32\SgotoDel.bat

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3748-0-0x0000000002340000-0x0000000002341000-memory.dmp

F:\WINSYS.exe

MD5 0011ab6aa3a9e60818f1f9ed52ad2ba4
SHA1 2f02682435f4cca4db253ce5cf62681e1fcdaac4
SHA256 dc9b0fde10b71811649cacff9df5f4dd3ae6bdad9c0a15a61a08307b3ef85ae9
SHA512 6dca42276c2f2e4a5f572cb0ce99641a134a7b19f0a8bb4e319f23bf5aca7deccfcb5090a150f041b6b55324a590d29dc76e5a6b698c1e77cc6a52a67eda40d0

memory/1396-14-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/1396-16-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/3748-18-0x0000000000400000-0x00000000004BF000-memory.dmp

C:\Windows\SysWOW64\SgotoDel.bat

MD5 5b053b7070308a45bd73a0dec287e9a5
SHA1 e0d0d334e01600823acab55ba2a2fae361628222
SHA256 977cc3a8e8af5da50b463841f7b8ce81dd05b07ed7959b98dde00d70cd293097
SHA512 64c1778e97d4a3f39f26b5bd82d7e4bfbf038cd61a7a2c766d3a77c8872703b53619c7a70d9948416e899fd2845d22b9487f52e153f824942b599c5ed5171880