Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 22:30
Static task
static1
Behavioral task
behavioral1
Sample
0fc3d9b499cf712693034613d8072265_JaffaCakes118.dll
Resource
win7-20231129-en
General
-
Target
0fc3d9b499cf712693034613d8072265_JaffaCakes118.dll
-
Size
132KB
-
MD5
0fc3d9b499cf712693034613d8072265
-
SHA1
a068a50955e4cdd5758546ea1b0d421eca8e001f
-
SHA256
d23999f3a408ce1055a388577fc92c5ac55f2b87061985327ec833f03b0cf66a
-
SHA512
f10eeebfb1d1e150675d775c7c67786769f952260d6ec151df0e40d93bad0f68fa0988b87883ea6173281291a2fe205b84a8936a0bc3687c9cdd77f3cee7fdbc
-
SSDEEP
3072:lo6nwLqrSa4I+VCUgVr9kYaQBqaFM2oVhyAn1+C:K6ungVrwwM2uf1/
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1968 regsvr32mgr.exe 2064 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2032 regsvr32.exe 2032 regsvr32.exe 1968 regsvr32mgr.exe 1968 regsvr32mgr.exe -
resource yara_rule behavioral1/memory/1968-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1968-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1968-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1968-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1968-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1968-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1968-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2064-38-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2064-37-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2064-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2064-563-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\bin\splashscreen.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_mosaic_bridge_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsound.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libwindrive_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\DirectDB.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\ucrtbase.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jfxwebkit.dll svchost.exe File opened for modification C:\Program Files\Windows Photo Viewer\PhotoBase.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSSOAPR3.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libadjust_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationCore.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.DataSetExtensions.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Framework.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IO.Log.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\perf_nt.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Photo Viewer\PhotoViewer.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsmb_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2064 WaterMark.exe 2064 WaterMark.exe 2064 WaterMark.exe 2064 WaterMark.exe 2064 WaterMark.exe 2064 WaterMark.exe 2064 WaterMark.exe 2064 WaterMark.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2064 WaterMark.exe Token: SeDebugPrivilege 2544 svchost.exe Token: SeDebugPrivilege 2064 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1968 regsvr32mgr.exe 2064 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1044 wrote to memory of 2032 1044 regsvr32.exe 28 PID 1044 wrote to memory of 2032 1044 regsvr32.exe 28 PID 1044 wrote to memory of 2032 1044 regsvr32.exe 28 PID 1044 wrote to memory of 2032 1044 regsvr32.exe 28 PID 1044 wrote to memory of 2032 1044 regsvr32.exe 28 PID 1044 wrote to memory of 2032 1044 regsvr32.exe 28 PID 1044 wrote to memory of 2032 1044 regsvr32.exe 28 PID 2032 wrote to memory of 1968 2032 regsvr32.exe 29 PID 2032 wrote to memory of 1968 2032 regsvr32.exe 29 PID 2032 wrote to memory of 1968 2032 regsvr32.exe 29 PID 2032 wrote to memory of 1968 2032 regsvr32.exe 29 PID 1968 wrote to memory of 2064 1968 regsvr32mgr.exe 30 PID 1968 wrote to memory of 2064 1968 regsvr32mgr.exe 30 PID 1968 wrote to memory of 2064 1968 regsvr32mgr.exe 30 PID 1968 wrote to memory of 2064 1968 regsvr32mgr.exe 30 PID 2064 wrote to memory of 2716 2064 WaterMark.exe 31 PID 2064 wrote to memory of 2716 2064 WaterMark.exe 31 PID 2064 wrote to memory of 2716 2064 WaterMark.exe 31 PID 2064 wrote to memory of 2716 2064 WaterMark.exe 31 PID 2064 wrote to memory of 2716 2064 WaterMark.exe 31 PID 2064 wrote to memory of 2716 2064 WaterMark.exe 31 PID 2064 wrote to memory of 2716 2064 WaterMark.exe 31 PID 2064 wrote to memory of 2716 2064 WaterMark.exe 31 PID 2064 wrote to memory of 2716 2064 WaterMark.exe 31 PID 2064 wrote to memory of 2716 2064 WaterMark.exe 31 PID 2064 wrote to memory of 2544 2064 WaterMark.exe 32 PID 2064 wrote to memory of 2544 2064 WaterMark.exe 32 PID 2064 wrote to memory of 2544 2064 WaterMark.exe 32 PID 2064 wrote to memory of 2544 2064 WaterMark.exe 32 PID 2064 wrote to memory of 2544 2064 WaterMark.exe 32 PID 2064 wrote to memory of 2544 2064 WaterMark.exe 32 PID 2064 wrote to memory of 2544 2064 WaterMark.exe 32 PID 2064 wrote to memory of 2544 2064 WaterMark.exe 32 PID 2064 wrote to memory of 2544 2064 WaterMark.exe 32 PID 2064 wrote to memory of 2544 2064 WaterMark.exe 32 PID 2544 wrote to memory of 260 2544 svchost.exe 1 PID 2544 wrote to memory of 260 2544 svchost.exe 1 PID 2544 wrote to memory of 260 2544 svchost.exe 1 PID 2544 wrote to memory of 260 2544 svchost.exe 1 PID 2544 wrote to memory of 260 2544 svchost.exe 1 PID 2544 wrote to memory of 336 2544 svchost.exe 2 PID 2544 wrote to memory of 336 2544 svchost.exe 2 PID 2544 wrote to memory of 336 2544 svchost.exe 2 PID 2544 wrote to memory of 336 2544 svchost.exe 2 PID 2544 wrote to memory of 336 2544 svchost.exe 2 PID 2544 wrote to memory of 388 2544 svchost.exe 3 PID 2544 wrote to memory of 388 2544 svchost.exe 3 PID 2544 wrote to memory of 388 2544 svchost.exe 3 PID 2544 wrote to memory of 388 2544 svchost.exe 3 PID 2544 wrote to memory of 388 2544 svchost.exe 3 PID 2544 wrote to memory of 400 2544 svchost.exe 4 PID 2544 wrote to memory of 400 2544 svchost.exe 4 PID 2544 wrote to memory of 400 2544 svchost.exe 4 PID 2544 wrote to memory of 400 2544 svchost.exe 4 PID 2544 wrote to memory of 400 2544 svchost.exe 4 PID 2544 wrote to memory of 436 2544 svchost.exe 5 PID 2544 wrote to memory of 436 2544 svchost.exe 5 PID 2544 wrote to memory of 436 2544 svchost.exe 5 PID 2544 wrote to memory of 436 2544 svchost.exe 5 PID 2544 wrote to memory of 436 2544 svchost.exe 5 PID 2544 wrote to memory of 480 2544 svchost.exe 6 PID 2544 wrote to memory of 480 2544 svchost.exe 6 PID 2544 wrote to memory of 480 2544 svchost.exe 6 PID 2544 wrote to memory of 480 2544 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:388
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:600
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1248
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:700
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:676
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:808
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1364
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1952
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:996
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:304
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:920
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:404
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1288
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2344
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2108
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:496
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:504
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:400
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1404
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fc3d9b499cf712693034613d8072265_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0fc3d9b499cf712693034613d8072265_JaffaCakes118.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2716
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize206KB
MD5df8769b5c89df73e70780e82b0261668
SHA11cadc1e62e350183900996f91829068bfe3a1592
SHA2568cc3f8857111c6f54e1134958f33d7ae8d32a7c8a2b993c9cc343f85a5b55234
SHA512b919c971088ae058085b7eea8379ee3fbcee99acb0b87e3d0774310296343bd7401f69bd7416472b736bcea3d9567f08fb6fbb6e1458aa33ec2f0dcd78b4aba7
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize202KB
MD55067a60801a78efa9a35bed07212821d
SHA1b5692c653c79053b2e00edf7a4fa8b86602da70a
SHA25663d9d60f4da9571cede2228eb490eebc85825e948f1da2b81f80be913dc043a5
SHA512339490b5de856d27b6a212decd0e493fa7e932dbcb62121abcf1d91f3c98142e57e4c1ca281515fbc1dbce8b9ffe001be12a3a60edb60f334f38a307131f2dfd
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837