Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe
-
Size
982KB
-
MD5
8535fc494a078ec7b975908dd91a04e0
-
SHA1
8546009f7f1466e4f7eb1cac4fe246af2963b1d5
-
SHA256
8acd1a17583964daef8c49d20f2c970576241810cd3c91dbd8d24efe77cc1b50
-
SHA512
558f029c9a99385e9ceffc9450619d0c0f3eb8be02e3ccde275fa5dedb2b8c98aff5a235435ae1a7552ff76ab5ac0fd40fae0467659d1c66f916eb17321a6af7
-
SSDEEP
24576:QFszWS5unaLSnYTwGJ+xCXdgVtgzEwe2Xp+8YKdxGHzcDJ:QxaOYTwM+ct2PKdqADJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
pid Process 548 notice.exe 1568 tjmy.exe 1036 down.exe 4648 xun1ei.exe -
resource yara_rule behavioral2/files/0x000700000002343a-22.dat upx behavioral2/memory/1568-30-0x0000000000400000-0x0000000000496000-memory.dmp upx behavioral2/memory/1568-32-0x0000000000400000-0x0000000000496000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQ.exe = "\"C:\\windows\\system\\QQ.exe\"" down.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1568-32-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0009000000023435-35.dat autoit_exe behavioral2/files/0x000700000002343b-50.dat autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\windows\system\QQ.exe down.exe File opened for modification C:\windows\system\QQ.exe down.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tjmy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language down.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xun1ei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2432 cmd.exe 1456 PING.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3761113921" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3761113921" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e03fcbe0f3eada01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124211" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074472bebe7af3a46942426e1e277b42a000000000200000000001066000000010000200000007bfbbf9bc69dd04c75de2fa9b549e7823fef0ba541f7fd763d61537f636edbc4000000000e80000000020000200000001a075200e834b3cfd5151c301f7de56e3f3af024543793fa61df0df5aa61e686200000006ad0eff7871ba9ca5fb73ed297a4225b9c5829844f3c30886007555f2b497135400000000a3945994415d792597b370a79c7e62530db20fdd55f7088fd2e3bc902dc32afb062ee7ceea484f5edff01399b4063e4a7282230606360a3318986a09d39e02b IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0BD2CEF0-56E7-11EF-9912-62A6B307388A} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124211" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3763927101" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124211" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000074472bebe7af3a46942426e1e277b42a00000000020000000000106600000001000020000000aff441f3505353a8db6e1cf5035028e597c5c486305dc7f0866d5b2107ac07ae000000000e8000000002000020000000347a4ae358f00d1ed101c35deb4ba6e40e9ad6cc6dad329169c8ba3a0a5d21cd20000000d17cf870ff1e5a54a44f3bcd581dfdf6c1779b543dbdb69ace608971e26fa747400000009974caadc71dd180e355f412fb5fc8e5e91ed87b2584588baf9697a0172bdcb27ea914f17fed6fd298ceab4c780a7b52bbe80e3f0641f2cb9fe18abb59734230 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 003bc4e0f3eada01 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430038555" IEXPLORE.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1456 PING.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1568 tjmy.exe 1568 tjmy.exe 1568 tjmy.exe 384 IEXPLORE.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1568 tjmy.exe 1568 tjmy.exe 1568 tjmy.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 548 notice.exe 384 IEXPLORE.EXE 384 IEXPLORE.EXE 2944 IEXPLORE.EXE 2944 IEXPLORE.EXE 2944 IEXPLORE.EXE 2944 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1304 wrote to memory of 548 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 86 PID 1304 wrote to memory of 548 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 86 PID 1304 wrote to memory of 548 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 86 PID 1304 wrote to memory of 1568 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 92 PID 1304 wrote to memory of 1568 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 92 PID 1304 wrote to memory of 1568 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 92 PID 1568 wrote to memory of 3104 1568 tjmy.exe 93 PID 1568 wrote to memory of 3104 1568 tjmy.exe 93 PID 1568 wrote to memory of 3104 1568 tjmy.exe 93 PID 3104 wrote to memory of 384 3104 Iexplore.exe 94 PID 3104 wrote to memory of 384 3104 Iexplore.exe 94 PID 1304 wrote to memory of 1036 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 95 PID 1304 wrote to memory of 1036 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 95 PID 1304 wrote to memory of 1036 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 95 PID 1036 wrote to memory of 2432 1036 down.exe 97 PID 1036 wrote to memory of 2432 1036 down.exe 97 PID 1036 wrote to memory of 2432 1036 down.exe 97 PID 384 wrote to memory of 2944 384 IEXPLORE.EXE 99 PID 384 wrote to memory of 2944 384 IEXPLORE.EXE 99 PID 384 wrote to memory of 2944 384 IEXPLORE.EXE 99 PID 1304 wrote to memory of 4648 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 100 PID 1304 wrote to memory of 4648 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 100 PID 1304 wrote to memory of 4648 1304 8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe 100 PID 2432 wrote to memory of 1456 2432 cmd.exe 101 PID 2432 wrote to memory of 1456 2432 cmd.exe 101 PID 2432 wrote to memory of 1456 2432 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8535fc494a078ec7b975908dd91a04e0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\notice.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\notice.exe" /S2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:548
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tjmy.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tjmy.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Program Files (x86)\Internet Explorer\Iexplore.exe"C:\Program Files (x86)\Internet Explorer\Iexplore.exe" http://www.iydy.cn/tjmy.html3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.iydy.cn/tjmy.html4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:384 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2944
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\down.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\down.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping 127.0.0.1 -n 3&del /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\down.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1456
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xun1ei.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\xun1ei.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4648
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
677KB
MD5192d1e8bac53c13537708e4d5d90616e
SHA128c0f684c8b58c42c3bf9823bc3d831b6cac9b98
SHA256f1eeaff0ee64ee8a8ce2a0fc3d0906b156a7f9f85748fca2f95481ba233f3bb8
SHA51201b8d8376fe5883c32d5b04dc6089a07a608996e6bacc13c915d18876c3b65b5b500c1bd27ff7f507b9fefe01aebd9845c4153d2c717309adaa6db559bd725b9
-
Filesize
16KB
MD5579961d94af1601374c82ec65a5078fc
SHA1bc3b55defc1fe6d28b38ba3596f781d851af4dd7
SHA2564f9a9635687f098cdf51ac288f8aea27d90d55c67a8924aa33232f98ef606731
SHA51266cd24bba64f5fde711e7df8819783c4730cdb41bdd65c5ac4c9bb26ee93114cad147165543433226799e47444a518b7e6bc826d705b040e71333dec6ee19bc5
-
Filesize
251KB
MD54cfa7e59c42fbdcdae5e42e5be9d21f3
SHA18e2f7c667a843210798f5b74a298594d564f3d38
SHA25677d1ae5ad595394e14ccbf4a7e3e8f1b46f43ead3f1a92c786584be9167823ff
SHA512b9a54f89ff736e8bec9f6a3d04968780370de5c4a29c8142dfcd3fafb5cac94f722d952d536740a97136b103a4373d8c70ceef4ae018326fa9895cc568e9ff83
-
Filesize
592KB
MD58ea4f25d9cf452ffb4fab3356a818940
SHA19fe4840426265b8f46f9e239f261e2804048f4a3
SHA256c583c1e6e1e5957f228ab656b1daedf7939e310efbcc184411433c94b7bf2ff7
SHA51204c4fbe5731d950ee5021fd1737c009c4d26a01f14388603708c8e2b13551f949a03219ceb473c9a746d6385a3eb9996df76d6fdbe473703e366761eddf31d9e