Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
104249669c100b40e4284728da56a8df_JaffaCakes118.dll
Resource
win7-20240611-en
General
-
Target
104249669c100b40e4284728da56a8df_JaffaCakes118.dll
-
Size
166KB
-
MD5
104249669c100b40e4284728da56a8df
-
SHA1
9ffb3a8eb4b5a02e68611bbda478a8740fdeeaeb
-
SHA256
9b297bbad3cc758a360030ed4896a90fbd552a038e36efe8e7cf706aeb383bb3
-
SHA512
f974fbb6803dc25eb992e27a4d7e181358409e8f571f4e351ebfb4989a4471c1ac308524fc32e75ff191ab734c3763070631b61613d3a59d71d042999033d6da
-
SSDEEP
1536:i5lTUKCYmCgV5bT/2d1QYePvaLj30b9KVv6q7pbhD3fdaAsU3wNBz0KB:sTU56gVxj27NePy330wN6qb3MAxwgKB
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 1112 regsvr32mgr.exe 2624 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 2920 regsvr32.exe 2920 regsvr32.exe 1112 regsvr32mgr.exe 1112 regsvr32mgr.exe -
resource yara_rule behavioral1/memory/1112-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1112-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1112-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1112-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1112-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1112-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1112-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1112-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2624-41-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2624-37-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2624-565-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JAWTAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsdt.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\jnwppr.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationBuildTasks.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libinvert_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libripple_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ssv.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jli.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html svchost.exe File opened for modification C:\Program Files\Internet Explorer\pdm.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgrain_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpCommu.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libscte18_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\currency.html svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\kcms.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html svchost.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
pid Process 2624 WaterMark.exe 2624 WaterMark.exe 2624 WaterMark.exe 2624 WaterMark.exe 2624 WaterMark.exe 2624 WaterMark.exe 2624 WaterMark.exe 2624 WaterMark.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe 2772 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2624 WaterMark.exe Token: SeDebugPrivilege 2772 svchost.exe Token: SeDebugPrivilege 2624 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1112 regsvr32mgr.exe 2624 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1784 wrote to memory of 2920 1784 regsvr32.exe 28 PID 1784 wrote to memory of 2920 1784 regsvr32.exe 28 PID 1784 wrote to memory of 2920 1784 regsvr32.exe 28 PID 1784 wrote to memory of 2920 1784 regsvr32.exe 28 PID 1784 wrote to memory of 2920 1784 regsvr32.exe 28 PID 1784 wrote to memory of 2920 1784 regsvr32.exe 28 PID 1784 wrote to memory of 2920 1784 regsvr32.exe 28 PID 2920 wrote to memory of 1112 2920 regsvr32.exe 29 PID 2920 wrote to memory of 1112 2920 regsvr32.exe 29 PID 2920 wrote to memory of 1112 2920 regsvr32.exe 29 PID 2920 wrote to memory of 1112 2920 regsvr32.exe 29 PID 1112 wrote to memory of 2624 1112 regsvr32mgr.exe 30 PID 1112 wrote to memory of 2624 1112 regsvr32mgr.exe 30 PID 1112 wrote to memory of 2624 1112 regsvr32mgr.exe 30 PID 1112 wrote to memory of 2624 1112 regsvr32mgr.exe 30 PID 2624 wrote to memory of 2656 2624 WaterMark.exe 31 PID 2624 wrote to memory of 2656 2624 WaterMark.exe 31 PID 2624 wrote to memory of 2656 2624 WaterMark.exe 31 PID 2624 wrote to memory of 2656 2624 WaterMark.exe 31 PID 2624 wrote to memory of 2656 2624 WaterMark.exe 31 PID 2624 wrote to memory of 2656 2624 WaterMark.exe 31 PID 2624 wrote to memory of 2656 2624 WaterMark.exe 31 PID 2624 wrote to memory of 2656 2624 WaterMark.exe 31 PID 2624 wrote to memory of 2656 2624 WaterMark.exe 31 PID 2624 wrote to memory of 2656 2624 WaterMark.exe 31 PID 2624 wrote to memory of 2772 2624 WaterMark.exe 32 PID 2624 wrote to memory of 2772 2624 WaterMark.exe 32 PID 2624 wrote to memory of 2772 2624 WaterMark.exe 32 PID 2624 wrote to memory of 2772 2624 WaterMark.exe 32 PID 2624 wrote to memory of 2772 2624 WaterMark.exe 32 PID 2624 wrote to memory of 2772 2624 WaterMark.exe 32 PID 2624 wrote to memory of 2772 2624 WaterMark.exe 32 PID 2624 wrote to memory of 2772 2624 WaterMark.exe 32 PID 2624 wrote to memory of 2772 2624 WaterMark.exe 32 PID 2624 wrote to memory of 2772 2624 WaterMark.exe 32 PID 2772 wrote to memory of 256 2772 svchost.exe 1 PID 2772 wrote to memory of 256 2772 svchost.exe 1 PID 2772 wrote to memory of 256 2772 svchost.exe 1 PID 2772 wrote to memory of 256 2772 svchost.exe 1 PID 2772 wrote to memory of 256 2772 svchost.exe 1 PID 2772 wrote to memory of 332 2772 svchost.exe 2 PID 2772 wrote to memory of 332 2772 svchost.exe 2 PID 2772 wrote to memory of 332 2772 svchost.exe 2 PID 2772 wrote to memory of 332 2772 svchost.exe 2 PID 2772 wrote to memory of 332 2772 svchost.exe 2 PID 2772 wrote to memory of 368 2772 svchost.exe 3 PID 2772 wrote to memory of 368 2772 svchost.exe 3 PID 2772 wrote to memory of 368 2772 svchost.exe 3 PID 2772 wrote to memory of 368 2772 svchost.exe 3 PID 2772 wrote to memory of 368 2772 svchost.exe 3 PID 2772 wrote to memory of 380 2772 svchost.exe 4 PID 2772 wrote to memory of 380 2772 svchost.exe 4 PID 2772 wrote to memory of 380 2772 svchost.exe 4 PID 2772 wrote to memory of 380 2772 svchost.exe 4 PID 2772 wrote to memory of 380 2772 svchost.exe 4 PID 2772 wrote to memory of 416 2772 svchost.exe 5 PID 2772 wrote to memory of 416 2772 svchost.exe 5 PID 2772 wrote to memory of 416 2772 svchost.exe 5 PID 2772 wrote to memory of 416 2772 svchost.exe 5 PID 2772 wrote to memory of 416 2772 svchost.exe 5 PID 2772 wrote to memory of 464 2772 svchost.exe 6 PID 2772 wrote to memory of 464 2772 svchost.exe 6 PID 2772 wrote to memory of 464 2772 svchost.exe 6 PID 2772 wrote to memory of 464 2772 svchost.exe 6
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:368
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:576
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1176
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵PID:2984
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:656
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:740
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:800
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:832
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2856
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:272
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:276
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1028
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1104
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1536
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2244
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:472
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:480
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:380
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:416
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\104249669c100b40e4284728da56a8df_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\104249669c100b40e4284728da56a8df_JaffaCakes118.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2656
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize206KB
MD5fd30ec7c2764a8a430ba98d775c515ce
SHA18e953ea5f92c20a78ad8c164f7ac3014d194cf1f
SHA25663abc203fd5ac0a2c8c10b26caaa8508c4015a2bdfd3b2e862e9c904e655269f
SHA512d0bda44ec78741aa1a07289ea4b9ebc37b768fb75612a4f28ca27883786b19458f95eb6405130501280daddff9603269ac5a404b188d62d374d62698c743db5e
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize202KB
MD5111402f843968dc779d6430c3bfc2e01
SHA1d59e07ea06b7e63ef6618cb235df085caf938efb
SHA2564a72f0da313fc8f069709c0b61110a43aa2bd95d1e63b76cf8b8dbb9bf8a587d
SHA5127123adcc94c9c15158589646630aba825885b818a35aefbcdc4b07d538ddc3d719767b6811cc2db19a590c9925c713f434f0b2d8d093aed3d5e20296c39787d7
-
Filesize
96KB
MD58c51fd9d6daa7b6137634de19a49452c
SHA1db2a11cca434bacad2bf42adeecae38e99cf64f8
SHA256528d190fc376cff62a83391a5ba10ae4ef0c02bedabd0360274ddc2784e11da3
SHA512b93dd6c86d0618798a11dbaa2ded7dac659f6516ca4a87da7297601c27f340fffa4126a852c257654d562529273d8a3f639ec020ab54b879c68226deae549837