Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll
-
Size
166KB
-
MD5
0ff5c0c167cabc1fa9c1a27273a0df18
-
SHA1
55a6b059fe16fb37a0771cbec3ef4e0644082c8a
-
SHA256
cce1caa13d3448164cbc79a53e95d712b92a306c9390d5125b3ce37c16a2ac36
-
SHA512
87eb385486f04c7f7772f6e8043b97cfff9ec3f1766fa756fa002c8e27a81e085cbf8d07df64a87e98c84747c4547131a21c27ef3e687d2170822669eb5fcba8
-
SSDEEP
1536:+5lTUKCYmCgV5bT/2d1QYesG+sxFm2mEgW+YBOYYtV/rerTN:wTU56gVxj27NeUuFm1byOYUNqd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2088 regsvr32mgr.exe 2756 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2188 regsvr32.exe 2188 regsvr32.exe 2088 regsvr32mgr.exe 2088 regsvr32mgr.exe -
resource yara_rule behavioral1/memory/2088-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2088-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2088-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2088-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2088-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2088-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2088-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2756-53-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2756-563-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_autodel_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Net.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libyuv_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSEngine.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\JNTFiltr.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\currency.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Filters\odffilt.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pidgenx.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Utilities.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipres.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtospdif_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_smem_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\mpvis.DLL svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssv.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\WindowsFormsIntegration.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\MSPVWCTL.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\gstreamer-lite.dll svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2756 WaterMark.exe 2756 WaterMark.exe 2756 WaterMark.exe 2756 WaterMark.exe 2756 WaterMark.exe 2756 WaterMark.exe 2756 WaterMark.exe 2756 WaterMark.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2756 WaterMark.exe Token: SeDebugPrivilege 1688 svchost.exe Token: SeDebugPrivilege 2756 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2088 regsvr32mgr.exe 2756 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1584 wrote to memory of 2188 1584 regsvr32.exe 28 PID 1584 wrote to memory of 2188 1584 regsvr32.exe 28 PID 1584 wrote to memory of 2188 1584 regsvr32.exe 28 PID 1584 wrote to memory of 2188 1584 regsvr32.exe 28 PID 1584 wrote to memory of 2188 1584 regsvr32.exe 28 PID 1584 wrote to memory of 2188 1584 regsvr32.exe 28 PID 1584 wrote to memory of 2188 1584 regsvr32.exe 28 PID 2188 wrote to memory of 2088 2188 regsvr32.exe 29 PID 2188 wrote to memory of 2088 2188 regsvr32.exe 29 PID 2188 wrote to memory of 2088 2188 regsvr32.exe 29 PID 2188 wrote to memory of 2088 2188 regsvr32.exe 29 PID 2088 wrote to memory of 2756 2088 regsvr32mgr.exe 30 PID 2088 wrote to memory of 2756 2088 regsvr32mgr.exe 30 PID 2088 wrote to memory of 2756 2088 regsvr32mgr.exe 30 PID 2088 wrote to memory of 2756 2088 regsvr32mgr.exe 30 PID 2756 wrote to memory of 1048 2756 WaterMark.exe 31 PID 2756 wrote to memory of 1048 2756 WaterMark.exe 31 PID 2756 wrote to memory of 1048 2756 WaterMark.exe 31 PID 2756 wrote to memory of 1048 2756 WaterMark.exe 31 PID 2756 wrote to memory of 1048 2756 WaterMark.exe 31 PID 2756 wrote to memory of 1048 2756 WaterMark.exe 31 PID 2756 wrote to memory of 1048 2756 WaterMark.exe 31 PID 2756 wrote to memory of 1048 2756 WaterMark.exe 31 PID 2756 wrote to memory of 1048 2756 WaterMark.exe 31 PID 2756 wrote to memory of 1048 2756 WaterMark.exe 31 PID 2756 wrote to memory of 1688 2756 WaterMark.exe 32 PID 2756 wrote to memory of 1688 2756 WaterMark.exe 32 PID 2756 wrote to memory of 1688 2756 WaterMark.exe 32 PID 2756 wrote to memory of 1688 2756 WaterMark.exe 32 PID 2756 wrote to memory of 1688 2756 WaterMark.exe 32 PID 2756 wrote to memory of 1688 2756 WaterMark.exe 32 PID 2756 wrote to memory of 1688 2756 WaterMark.exe 32 PID 2756 wrote to memory of 1688 2756 WaterMark.exe 32 PID 2756 wrote to memory of 1688 2756 WaterMark.exe 32 PID 2756 wrote to memory of 1688 2756 WaterMark.exe 32 PID 1688 wrote to memory of 260 1688 svchost.exe 1 PID 1688 wrote to memory of 260 1688 svchost.exe 1 PID 1688 wrote to memory of 260 1688 svchost.exe 1 PID 1688 wrote to memory of 260 1688 svchost.exe 1 PID 1688 wrote to memory of 260 1688 svchost.exe 1 PID 1688 wrote to memory of 340 1688 svchost.exe 2 PID 1688 wrote to memory of 340 1688 svchost.exe 2 PID 1688 wrote to memory of 340 1688 svchost.exe 2 PID 1688 wrote to memory of 340 1688 svchost.exe 2 PID 1688 wrote to memory of 340 1688 svchost.exe 2 PID 1688 wrote to memory of 396 1688 svchost.exe 3 PID 1688 wrote to memory of 396 1688 svchost.exe 3 PID 1688 wrote to memory of 396 1688 svchost.exe 3 PID 1688 wrote to memory of 396 1688 svchost.exe 3 PID 1688 wrote to memory of 396 1688 svchost.exe 3 PID 1688 wrote to memory of 388 1688 svchost.exe 4 PID 1688 wrote to memory of 388 1688 svchost.exe 4 PID 1688 wrote to memory of 388 1688 svchost.exe 4 PID 1688 wrote to memory of 388 1688 svchost.exe 4 PID 1688 wrote to memory of 388 1688 svchost.exe 4 PID 1688 wrote to memory of 436 1688 svchost.exe 5 PID 1688 wrote to memory of 436 1688 svchost.exe 5 PID 1688 wrote to memory of 436 1688 svchost.exe 5 PID 1688 wrote to memory of 436 1688 svchost.exe 5 PID 1688 wrote to memory of 436 1688 svchost.exe 5 PID 1688 wrote to memory of 480 1688 svchost.exe 6 PID 1688 wrote to memory of 480 1688 svchost.exe 6 PID 1688 wrote to memory of 480 1688 svchost.exe 6 PID 1688 wrote to memory of 480 1688 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:260
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:340
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:388
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:620
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1608
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:3052
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:696
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:780
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:828
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1060
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:860
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2068
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:296
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1088
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1096
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1176
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1872
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:904
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:496
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:504
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1136
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\0ff5c0c167cabc1fa9c1a27273a0df18_JaffaCakes118.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1048
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize206KB
MD5b5912d8fcd1cb2f1964032c8b7fa7890
SHA183f6ecbe5795f2c71a48241c8a19e207ac025dd5
SHA25600db1994152b1e8be88cd6320ded86664d4b73439d202fb5113461dffcef1c9e
SHA51276957b9bfd9a1edfa8abf70b008f2e6d6dc3c6552ad18843b5ff6a7d508d3893095de936aa32ddc3de11270914f461b29785bd34607b910d1ae35b2fa2a0004d
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize202KB
MD5538283eaf3f31755a64d12f72927cab8
SHA1f8d302deda0aeab394828374858c45f4c476d419
SHA2560cb94134111a69173d93f4f9be7413dbfc5b08245cd19f1e37fc7dde5e020922
SHA512db779176bb5e85da71bf78cc8e4036477cadf9d10b8137905d7117755e1079b96160f123b2cc19349e81c5b8db27a1f659b8a1febc3425aed392ecf25ba3098a
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837