Analysis Overview
SHA256
6587e68c8e53df8abb6bbd312feaf054bf9986df2db98c5850b1fd92469c3053
Threat Level: Known bad
The file 202409234a27f40979c27b52e3c7d3fa3069c246cobaltstrikepoetratsnatch was found to be: Known bad.
Malicious Activity Summary
HackBrowserData
An open source browser data exporter written in golang.
Executes dropped EXE
Looks up external IP address via web service
Suspicious use of SetThreadContext
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-23 21:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-23 21:51
Reported
2024-09-23 21:53
Platform
win7-20240708-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\202409234a27f40979c27b52e3c7d3fa3069c246cobaltstrikepoetratsnatch.exe
"C:\Users\Admin\AppData\Local\Temp\202409234a27f40979c27b52e3c7d3fa3069c246cobaltstrikepoetratsnatch.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-23 21:51
Reported
2024-09-23 21:53
Platform
win10v2004-20240802-en
Max time kernel
93s
Max time network
137s
Command Line
Signatures
An open source browser data exporter written in golang.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
HackBrowserData
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\script_cookie_encrypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\rate.exe | N/A |
| N/A | N/A | C:\Users\Admin\rate.exe | N/A |
| N/A | N/A | C:\Users\Admin\rate.exe | N/A |
| N/A | N/A | C:\Users\Admin\rate.exe | N/A |
| N/A | N/A | C:\Users\Admin\rate.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3888 set thread context of 4612 | N/A | C:\Users\Admin\script_cookie_encrypted.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe |
| PID 3692 set thread context of 5052 | N/A | C:\Users\Admin\rate.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| PID 1360 set thread context of 3376 | N/A | C:\Users\Admin\rate.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
| PID 2288 set thread context of 3816 | N/A | C:\Users\Admin\rate.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
| PID 2672 set thread context of 4936 | N/A | C:\Users\Admin\rate.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
| PID 3564 set thread context of 2040 | N/A | C:\Users\Admin\rate.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\202409234a27f40979c27b52e3c7d3fa3069c246cobaltstrikepoetratsnatch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Local\Temp\202409234a27f40979c27b52e3c7d3fa3069c246cobaltstrikepoetratsnatch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Local\Temp\202409234a27f40979c27b52e3c7d3fa3069c246cobaltstrikepoetratsnatch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\script_cookie_encrypted.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\202409234a27f40979c27b52e3c7d3fa3069c246cobaltstrikepoetratsnatch.exe
"C:\Users\Admin\AppData\Local\Temp\202409234a27f40979c27b52e3c7d3fa3069c246cobaltstrikepoetratsnatch.exe"
C:\Users\Admin\script_cookie_encrypted.exe
C:\Users\Admin\script_cookie_encrypted.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
C:\Users\Admin\rate.exe
C:\Users\Admin\rate.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\rate.exe
C:\Users\Admin\rate.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Users\Admin\rate.exe
C:\Users\Admin\rate.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\rate.exe
C:\Users\Admin\rate.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Users\Admin\rate.exe
C:\Users\Admin\rate.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 52.252.190.167:56001 | tcp | |
| US | 8.8.8.8:53 | 167.190.252.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
Files
C:\Users\Admin\script_cookie_encrypted.exe
| MD5 | b50c04edf22d51016e00d6f385b41cc7 |
| SHA1 | 22295a90e102a3ffdada9f52230fb9e604bac281 |
| SHA256 | 2a7cae1fd866ff4f11e5c41c428b9b3c1078df3b523706d8a5145c55bd359ba9 |
| SHA512 | a574405593129fd729d8bf5fdcf6813cb68870cbb1124969def626db06069ccb2e18841c73ca5f34f71d33b4edd9c1982b6282a6f3e66b645e1043eff45f1f73 |
memory/4612-4-0x0000000000400000-0x0000000000DED000-memory.dmp
C:\Users\Admin\rate.exe
| MD5 | 0c8bc5317e4b23f1e6dd3a2b7af70255 |
| SHA1 | 49dd70a5dfb41a77806f0abb0b9f54d0cd01d652 |
| SHA256 | af847306fa5457d15f4d378e2622f6ff3f92c9a093810f760bf1f3cc91aacb7f |
| SHA512 | e95a567a70df88ac1226fd4973a6103f195c38f1790750047feead51b186434d88ab5a525c77cbe509f6fa8d8c90b77fac9daf2a48d31f85db12ab1b11863878 |
memory/3692-10-0x00007FFCEFAF3000-0x00007FFCEFAF5000-memory.dmp
memory/3692-9-0x0000024781DE0000-0x0000024781DE8000-memory.dmp
memory/4612-14-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/4612-15-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/4612-16-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/4612-13-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/4612-12-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/4612-45-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/4612-48-0x0000000000400000-0x0000000000DED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\CURRENT.bak
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\Session Storage_8.temp\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\Local Storage\leveldb_7.temp\CURRENT.5
| MD5 | 9f36605efba98dab15728fe8b5538aa0 |
| SHA1 | 6a7cff514ae159a59b70f27dde52a3a5dd01b1c8 |
| SHA256 | 9c283f6e81028b9eb0760d918ee4bc0aa256ed3b926393c1734c760c4bd724fd |
| SHA512 | 1893aa3d1abcf7f9e83911468fa2eeb2ad1d7e23f4586bd6c4d76f9f96a645c15e63e44da55700347165e97b6ac412e6d495b81c3da9faa61d617c7a71a7404c |
memory/4612-174-0x0000000000400000-0x0000000000DED000-memory.dmp
memory/3692-179-0x000002479C4D0000-0x000002479C580000-memory.dmp
memory/5052-180-0x0000000000400000-0x000000000045C000-memory.dmp
memory/5052-182-0x0000000004F20000-0x0000000004FDA000-memory.dmp
memory/5052-183-0x0000000005080000-0x00000000050E6000-memory.dmp
C:\Users\Admin\results\chrome_default_extension.csv
| MD5 | 81b496ce1578a88f74dcf1b5a09f98b5 |
| SHA1 | ec5b2723bf4f88d001069fccd5300096c5955d0b |
| SHA256 | 5c99c6eb19efecfdcb5da9e8e547ce78065d0de4e7dcc4b70166d03d0870b7d5 |
| SHA512 | b72794dfb6955f8a2c102d072cd650617d08ca94805c791e4549ec2b326b8b896d872f848f701ebbad46342da6df051a3799af5434092b167a233a23978e580f |
C:\Users\Admin\results\chrome_default_sessionstorage.csv
| MD5 | d07886f7107c50304e1b9cde0793ed04 |
| SHA1 | 41453a6e9db25a06b4ef031c12fdcee8a3818741 |
| SHA256 | 963b596f0385f5be1b8ad2f7e5b4ff474aeb1a1a8d17d20ff67a1cd30ca70344 |
| SHA512 | a917504c89a8ec7b8fc5d89a683fce01ce45a160dbb98861cc2432c221a2f3e7aca15b7325967c171e2de2d7ce26ffa01ecef49c7b896b1a16daa5a3125eb4ca |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log
| MD5 | 3334ecde6536c93e216decce323cbe3e |
| SHA1 | 277f9a4e3a14c5dbe6b92fabac8b2050cab3629b |
| SHA256 | 494fcff7f11e2d7ea9abfbf91d6dea2595388ab4c45269e5fd74c82796d0a76a |
| SHA512 | 2830773d60aa9fe73c7e0a28502e198d931422b4a1df9a0b844d3952bb0aed7aa2b5da39e1adf145c9e6c2f75a33560da23c9b2b774fb38718bde066eafcad9d |