Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2024 09:15
Static task
static1
Behavioral task
behavioral1
Sample
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe
-
Size
325KB
-
MD5
ca8d5059de6edbdb4b0ddc061f6cf8fd
-
SHA1
f67fd864383c55c42af4d5de17380cac755856e6
-
SHA256
a354500c53b0042e32b9a331375eee6a572154589f9301fe827db5fc1e71d2b5
-
SHA512
fbd633d5967b9189286b40c5f58a6338ce4a2b68544c422992f2ece8870f4771c9d72768995855604d966af18be34723db2f5f2e5a194ad89335d5dc78aa6935
-
SSDEEP
6144:oNP9SQWPwhsDeJf9I23kJIs6R7XERVt06pkcOrpjFIZzRyKjg+eD+q:UMQwDihUswV66a6ZznU+eD+q
Malware Config
Extracted
cybergate
2.6
vítima
shootersiker.no-ip.org:1604
wqt3532562345413
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_file
nsrss.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
título da mensagem
-
password
abcd1234
Signatures
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\nsrss.exe" ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\nsrss.exe" ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1XG3QB-O0EL-DJ02-1APH-447FOR40TWM4} ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A1XG3QB-O0EL-DJ02-1APH-447FOR40TWM4}\StubPath = "C:\\Windows\\system32\\nsrss.exe Restart" ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
explorer.exepid Process 1164 explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
nsrss.exensrss.exepid Process 2784 nsrss.exe 4152 nsrss.exe -
Processes:
resource yara_rule behavioral2/memory/2184-13-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/2184-14-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral2/memory/1164-83-0x0000000024080000-0x00000000240E2000-memory.dmp upx behavioral2/memory/1164-121-0x0000000024080000-0x00000000240E2000-memory.dmp upx -
Drops file in System32 directory 5 IoCs
Processes:
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exeexplorer.exensrss.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\nsrss.exe ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\nsrss.exe explorer.exe File opened for modification C:\Windows\SysWOW64\ explorer.exe File opened for modification C:\Windows\SysWOW64\nsrss.exe nsrss.exe File created C:\Windows\SysWOW64\nsrss.exe ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exensrss.exedescription pid Process procid_target PID 4068 set thread context of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 2784 set thread context of 4152 2784 nsrss.exe 91 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1144 4152 WerFault.exe 91 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exeexplorer.exensrss.exensrss.execa8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nsrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nsrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exepid Process 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid Process 1164 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
explorer.exedescription pid Process Token: SeDebugPrivilege 1164 explorer.exe Token: SeDebugPrivilege 1164 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exepid Process 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exensrss.exepid Process 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 2784 nsrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.execa8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exedescription pid Process procid_target PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 4068 wrote to memory of 2184 4068 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 85 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56 PID 2184 wrote to memory of 3600 2184 ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ca8d5059de6edbdb4b0ddc061f6cf8fd_JaffaCakes118.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Deletes itself
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\SysWOW64\nsrss.exe"C:\Windows\system32\nsrss.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2784 -
C:\Windows\SysWOW64\nsrss.exe"C:\Windows\SysWOW64\nsrss.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 2207⤵
- Program crash
PID:1144
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4152 -ip 41521⤵PID:3548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5393157b7ce52c73c01291007e2fafb2f
SHA1b2955687957d4f187dcf6b3ced1aac7abac1f768
SHA256ce58c30733cb710eb25fd69b8cb3d584e166cfd63f9b360457344803edf04376
SHA512000b56341474637a19ef67d3e23af6e9e3ed6a1b9fac3dbdc347c2b0ba50ffad0b7c8b2ae0141d7ac558921abaaaedf8a0f1f9e44e5891c9ac32cffa8ad2da7f
-
Filesize
8B
MD54b0eaf11ac9c4698a99f7d40f833be62
SHA17c3e2d5e0e84fd43095c9202aa19d95e8951ea9f
SHA2564151392f2b0398656de024ffd8698743d1207495dea6e7a1969a416928f4212d
SHA512d08c1f9e66ee7209d082d2c067a4db0f765db14c8c3b32bbad8edf8ccd6692c00c5a3cf0c3de3829378e398b10b127c8b37313361c7991e13853bf77a6bf5876
-
Filesize
8B
MD5c76edcc2b6543b874b3773da24716b11
SHA190ad8be66ffd5db9ac5d1e7f3b2d736fa717d46d
SHA256e6f99d402bf50dac9026ecad19d50ba1baa347e3d234c0ce98b002a3abcaf8ba
SHA512f7fe1e99177ed59730b0295dfaaf587dedd2e9338c0c65a5240a848df3f3581c74e6c18d87b2a1f4c9baf3841aa083f582d3339eb874ed42f6657802689f322c
-
Filesize
8B
MD5c26be120589db1366709e88195d68081
SHA1e11604be1445f93bd32d282530d32d2a78aab9fa
SHA2565ee3c809af27629e71062c82b170f7b867165d80f8558a87d61c134eba5a8888
SHA512ab9dd889ce450b0b46c5f7ef6427dfe8f2806e511ab04ba616057c0dd260ded333ddbac6da4f4ff0c511c045b2bafc876a2c7a1b638285bec957701427b4fc8f
-
Filesize
8B
MD5f8b532c82bb52c0e1bc854f72057a459
SHA1af518d8fc1f8d00d77f45976a28560d5eafd4b5e
SHA25664c73c7e4e0aa70a596811b12d0ff7a1b2d393eecdffa5688bfd70fb83e28979
SHA512929981224607ef40bcfc1825924ed58e89140fea5370fdf176c60f22281dda775e1187f73c8355d18c1cd74654bba94aac98aee9c00a072c35ec6e3a04d6f2a4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-355097885-2402257403-2971294179-1000\88603cb2913a7df3fbd16b5f958e6447_30dd1cc1-5c25-4745-b2f5-cffa52b1a886
Filesize51B
MD55fc2ac2a310f49c14d195230b91a8885
SHA190855cc11136ba31758fe33b5cf9571f9a104879
SHA256374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092
SHA512ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3
-
Filesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
Filesize
325KB
MD5ca8d5059de6edbdb4b0ddc061f6cf8fd
SHA1f67fd864383c55c42af4d5de17380cac755856e6
SHA256a354500c53b0042e32b9a331375eee6a572154589f9301fe827db5fc1e71d2b5
SHA512fbd633d5967b9189286b40c5f58a6338ce4a2b68544c422992f2ece8870f4771c9d72768995855604d966af18be34723db2f5f2e5a194ad89335d5dc78aa6935