Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 06:53
Static task
static1
Behavioral task
behavioral1
Sample
2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
2173297f29acb1dd99fc66cc1a9c1630
-
SHA1
a90f5dfe48858004b2959d343ae8c72fa6264edc
-
SHA256
11540d6f5862071c9e8b99e45d146f68c40d7ad567def1c32adb58d0492f7fd0
-
SHA512
d898e8da0be3d6aba41b1bf8a010a311bfccebf534d515c4d07920fd71136994495c8118fe5fa70e9f3a31f366e6d5e9b3f7219a3b59e9f4918f7a72c801f238
-
SSDEEP
12288:uAHyDFoAoGf83GoChR5e3PzV6hwy5ddUoANIz7UiOlBI+V9jNoGEhsRRcz2+mf9K:HaVk+zwFcYW10d474mfn
Malware Config
Extracted
cybergate
v1.07.5
MW2 Aimbot
hyperbcs.servegame.com:100
478L8I1K1DT17Y
-
enable_keylogger
true
-
enable_message_box
true
-
ftp_directory
./logs/
-
ftp_interval
30
-
ftp_password
wwewwewwE19
-
ftp_port
21
-
ftp_server
njmodding.com
-
ftp_username
njmodding
-
injected_process
explorer.exe
-
install_dir
WinDir
-
install_file
wininit.exe
-
install_flag
true
-
keylogger_enable_ftp
true
-
message_box_caption
The application failed to initialize properly(0xc0000005).Click on OK to terminate the application.
-
message_box_title
Error
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\wininit.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\WinDir\\wininit.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y51I72R0-0WAW-Q8DE-KBD1-724R44N5R846} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y51I72R0-0WAW-Q8DE-KBD1-724R44N5R846}\StubPath = "C:\\Windows\\system32\\WinDir\\wininit.exe" explorer.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y51I72R0-0WAW-Q8DE-KBD1-724R44N5R846} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y51I72R0-0WAW-Q8DE-KBD1-724R44N5R846}\StubPath = "C:\\Windows\\system32\\WinDir\\wininit.exe Restart" vbc.exe -
Executes dropped EXE 2 IoCs
pid Process 1108 wininit.exe 2248 wininit.exe -
Loads dropped DLL 2 IoCs
pid Process 2228 vbc.exe 2284 explorer.exe -
resource yara_rule behavioral1/memory/2228-26-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral1/memory/644-546-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral1/memory/644-1671-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\WinDir\\wininit.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\WinDir\\wininit.exe" vbc.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WinDir\wininit.exe vbc.exe File opened for modification C:\Windows\SysWOW64\WinDir\wininit.exe explorer.exe File opened for modification C:\Windows\SysWOW64\WinDir\ explorer.exe File created C:\Windows\SysWOW64\WinDir\wininit.exe vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2440 set thread context of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2228 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2284 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 644 explorer.exe Token: SeRestorePrivilege 644 explorer.exe Token: SeBackupPrivilege 2284 explorer.exe Token: SeRestorePrivilege 2284 explorer.exe Token: SeDebugPrivilege 2284 explorer.exe Token: SeDebugPrivilege 2284 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2228 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2224 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 28 PID 2440 wrote to memory of 2224 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 28 PID 2440 wrote to memory of 2224 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 28 PID 2440 wrote to memory of 2224 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 28 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2440 wrote to memory of 2228 2440 2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe 29 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21 PID 2228 wrote to memory of 1228 2228 vbc.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2173297f29acb1dd99fc66cc1a9c1630_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵PID:2224
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Suspicious use of AdjustPrivilegeToken
PID:644
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Windows\SysWOW64\WinDir\wininit.exe"C:\Windows\system32\WinDir\wininit.exe"5⤵
- Executes dropped EXE
PID:2248
-
-
-
C:\Windows\SysWOW64\WinDir\wininit.exe"C:\Windows\system32\WinDir\wininit.exe"4⤵
- Executes dropped EXE
PID:1108
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD53f795271b7ead15a4e52c8f072deffcd
SHA1e996cf12eb7b9ad36fc274bacbfe0019816a2d9a
SHA25610903682c3aa7a3c7697848f50b0df6dd0ba2719f5c9a79bdbe76a39fa0207e7
SHA5124774cb23fad655a0c61768abb05b7ff0074730aadf7ceb326cbbe31dfcfedc5f495509bb4322fcba920726b5e54c6a2c004b981be5c93f32788076991c0441d4
-
Filesize
8B
MD5fc001614df1977f16301e9a8f4b11417
SHA13a7428324466f36df019e99a2d518966c8fc92f0
SHA2561aaf8eaf56e59a212681ab9554573ef635d508bbb4752f7a072c5e151eec1722
SHA5129786f9e91e6deb0db7fde1eacd04fb95bedda455a37487d54ed60dd53e0dbf712c387c8a0955b2ae4ee0ac44ffe408c5eac63e96cea8792132d0e0d8fab42dd9
-
Filesize
8B
MD55aa4cc216a38043dba4fd9d9f1c87052
SHA1f4b5c8057003895f166c7dfd80f71b31e2857a18
SHA2564a7243eaf7f443936e19d45f47b5e74bfdf81486f1c6fa96d73c040ce70d745e
SHA512912c82c1867edd8ca6a93acd3e63bb98d845d89cf52102319ef60f3017eb70667258341b8e8131b8e210b33066420c80255caeb129fe45b7c65c10b89c87d3a5
-
Filesize
8B
MD5758d09d887c46528dcc7efb52dca4217
SHA10baa90e1bb72265d9afa8cddada4cecb7f7a6371
SHA256b678b43ca046aeef43d757438874f86b089d7fd52c1e27f4d7168d1f2e311d22
SHA512cd6ac833161ba3735873b6b599d17cf6576f0b3b99f53767abfcb4bda2ff7a89392f826486844b115740c163df2066ed05f4de96720e0ebbdd5cb2e6d3cceca8
-
Filesize
8B
MD58d92862b1f9e033f136091004848bc9b
SHA192d42f9c62e86aadb67eb966714f44d6aa970d7f
SHA256aa1b9dc38757243ce49aeb1d96ef07b1497618536af63bef3ad9e2e5c7961931
SHA5125794a08da807cf4d5201c05216d2ae62ba6a09b151aab3cd742faadba3bfae6ddfb4adf1aae1e5efb6f8b7ffd4f1aa332e571a3507e5eb055ac1ef5153c34a1e
-
Filesize
8B
MD568ff689742b90598bd3947b2e8e6462c
SHA17a02f4bf3f34c23a3b1821ae05de7b8921a63f32
SHA256a90eb53b6d218604102be545c435be8fce2e60381faed7a07de1a928fdf3dfe0
SHA512332ddf887b3ef7c8532fd71df9be8fb5e3ecd0cea8e827315e56b079e55868c40c976dde218c893a5b67399c9f66b4fbe36a667a0d3e9768df0bdf38f46c6e3a
-
Filesize
8B
MD57e4b8e089e0b295e04030ceee2eea5eb
SHA169968a86073e6b08bff6b485e0da13fe5ca6d8c9
SHA2568b1820462403c3e3c4c1c67ce46251d784fbbe6a8918ddc120aa00c72859a073
SHA5125b6e0a4493cabf59a520fb933812561d033337364bbf4e10218d3af1c428bac6b7692202602c4fbe49c9c9df4aea3ca759d2b0c5fb44cb414c47f88e560db712
-
Filesize
8B
MD59db872f0e59d42234196c10a55159068
SHA1818cca91dff0e339af7f22bdc02019970f30a6cc
SHA25658bb5905cabc7639d17b6269cdc831e4775c4286941328376421031bc4792874
SHA5126eea48653b51e44ce6208f67e08e7c4a65297d6d332f55b69f49f193e8861b8ff5127504ef1b4bbc73d30d5f35845caf60934e9d4c946c981c901a955a3a8f9f
-
Filesize
8B
MD5aa11e90352025c57595e5529989f97f7
SHA16fb93ad919cf9bdff2a4c708997c14d36743fd5d
SHA256bce480d236aec2372b017d87b4f29d90821fe622860148f7e7cede82778e1a8c
SHA5124fb2f4ce6180b31957d5a2f657aa40f3be8c4c565d7921965b0dfc9d5fc50601a476cbdba80d2cce63f3104d32eefc1d34fb004f0cfcf91a77886731debf2695
-
Filesize
8B
MD505e193ecb77188a35fa7b9cff8f9a91b
SHA1738968dae8136ad97f3fe4c079a41de060016c1c
SHA256649cadd81de4ffed4df0916bacfac891b835a19a731d01e55a3be717807d88bd
SHA51271b8ca20e53dc0708ed1a4c276530a10755bc0986e8b55bd130648372b2faf228d57888433eb49521ef9917c2797f8309ae12e75d1b145b3172a5e675d2982f2
-
Filesize
8B
MD528455706f7d2e28cd2d67afd195d233e
SHA1a50ffcf532e42568ebe16f6a4c9f1afd90c5977e
SHA256b70fcdcef188459928173d13c0fc6f6fe83d101c55c984b589399d1e7c287b8e
SHA512d276b390e28396f5e8c44502409bf33cec37faa675e6ff78f5367cc0dce3445b9000774466187d1bf5b77a41e589e735a453ba84df05e688318f2f2e581d20b3
-
Filesize
8B
MD5d6b50eedd1f4b75cb88b8b26375eef59
SHA192a8b4cc677c859e9dd62a1d4e4e100084e0359e
SHA256ae8855f395bca56f5ee4d486ec2dceb18207c65a978d33d3f33a7433247fa871
SHA512ad39bad17cc726c98a53ebe817109364076b3fad92d2cdd31c41f720e1dbadbe5bc68786d9270ebf89c364e044048047b5e8669195c68429a85f00d891a658cb
-
Filesize
8B
MD51de23e9aeb0e2b2faa9df830e4db196e
SHA1fc71975fa40c614f5959fd6c9a7a03e24051f40d
SHA256b9c73a2b36ae3c49ac63c8de3604bb3e3d56bd8ece6e0eee1be7ebab339b09bf
SHA512a0a82ada182e8b21467c31c6e1d980119a52a132a58c1784653fd97bdd9df6c99013e532636430984b0ed476d362164feebd41283ae2ed300ea40ee279c0ea03
-
Filesize
8B
MD5f56bce4c9604a80957a73d2a33de6cc4
SHA138ab2d384c016f14f8ea2612dafddab0c904e663
SHA256268f98547ddb0955be12257b0d0f210539f9a2f38575a5625a83f794c4c3e973
SHA512d1ae444db782278955571d6f7f0ffae4199aa3496bed586052c612d101c565f25950516531b49f7adce1fc6c04a43751de8c04aae22dacd82c1ae68c9009dc0d
-
Filesize
8B
MD530bcb3ffe4e32d70e519da449b66bae8
SHA14aba15cd41b89eede58acaa94459703a933af32e
SHA25624ad2fa5bbf7105efd15279159006d4eee0588631b3ab8c49a3c95f2eec100af
SHA5121710ad070e660577300d7b922f375bcdac9cc2c21446cc8ed1247cf3460012e3b827b3eee6ed684e83876e01d2e527985b34d08351c377cb952daac1297838a6
-
Filesize
8B
MD5c9068f2cf5e81f14b4a054ad503c6259
SHA1f901b08528bab512e03ae5e247975494fe1f1512
SHA256437a5cf2f07e0ed6211d8ccc9d1f270b6e0c44bd2d7fa21ee349762d3c53e87b
SHA512e199cdf60693bb66701bfabf062bd36ed8556c83de598f30a7ac4da467aecc3ea30125968e12ff33a2bef2f442f719289bd7bd04ec46abb0cb88de9222f13af5
-
Filesize
8B
MD545b77e98542f72960321b8906012588d
SHA12a784d24d64a8f813dab83772530c78a2fdcd537
SHA256543192806122b42fe6b6ed2f4f4a550f6baafc66be9109e2908a20555dfbd043
SHA512d6bbf887ba08073ac924d8542bb06ca3e38716c1698e0803375baed6698fca06966dcdf63dc01b9123e83f8c23adde8599785a2505ba08748c435784ec70f249
-
Filesize
8B
MD5cec1cfa8a48bcf732ae231a0c6a5eabd
SHA177a2637e650802eb075d370f03d0f16694c18e3e
SHA256f3e902739a9bc7968a8314ef7e9ec598fbdb42418231526c237756e252dd0a49
SHA51200717629e4a2c69c6e78d75070899548f0f3d575fa9893376f8a1a6e0e833de17b9e2cd2c60df777b0d49d19f7a11fccf9c7e464d7c627fe53a1de7128a268ea
-
Filesize
8B
MD5118f15a7e880d6f8547306b63869bb21
SHA152d52ba5a2a5f5408637b6917dbd3c6f88afbdd1
SHA256b306b1327cc788c4c245c46c8948bec5c0bbc15d847adc585267b8c2274f3616
SHA512c2cbb77efb8d7552b61070d5b08121972c81715d0df458a68c29792625dd61d4cc2869aed51e0c1432b248f2c0b09941f3a473cca9fd24294a55b503d66a3477
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98