Resubmissions
09-10-2024 00:49
241009-a6lyysvfpp 10Analysis
-
max time kernel
16s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-10-2024 00:49
Behavioral task
behavioral1
Sample
mobelejen.apk
Resource
win11-20241007-en
General
-
Target
mobelejen.apk
-
Size
549KB
-
MD5
45be5a7857a4fa1c5eadd519e9402e8a
-
SHA1
36feb0809c1853f9a1f6d587302691abd7ce90e9
-
SHA256
7d59e24f4bdf28a846d21e2608796f7e91389c4778bec75369d7b05e3f8449a5
-
SHA512
46c869051e0c97b68f4388b87caecd82bf7362110a34ebb28ddc5fcd6c8a0e339eeaafbfce54d22593e245457fae7ec4c36b49a8556d3327ba7f90a40dd96a73
-
SSDEEP
12288:9cVS3EVqPlR6i0Ci3jM34D9zSxjRH6+O//n3tKpSsM+1HA+3De7:9OS3EW6i0C+M3SziN6+ONjstgYDe7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 18 IoCs
Processes:
OpenWith.execmd.exeMiniSearchHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ⵟǰ\ = "apk_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\敲d敲eㅄᡸ爀蠀䀀 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\敲d敲eㅄᡸ爀蠀䀀\ = "apk_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\apk_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\.apk\ = "apk_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ⵟǰ\ = "apk_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\潤瑭敲eㅊ焀耀ⵟǰ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ⵟǰ OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\潤瑭敲eㅊ焀耀ⵟǰ\ = "apk_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\.apk OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\apk_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ⵟǰ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\apk_auto_file\shell\Read OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\apk_auto_file\shell\Read\command OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4600 OpenWith.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
OpenWith.exeAcroRd32.exeMiniSearchHost.exepid process 4600 OpenWith.exe 4600 OpenWith.exe 4600 OpenWith.exe 4600 OpenWith.exe 4600 OpenWith.exe 4600 OpenWith.exe 4600 OpenWith.exe 4600 OpenWith.exe 4600 OpenWith.exe 4600 OpenWith.exe 4600 OpenWith.exe 1032 AcroRd32.exe 1032 AcroRd32.exe 1032 AcroRd32.exe 1032 AcroRd32.exe 644 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 4600 wrote to memory of 1032 4600 OpenWith.exe AcroRd32.exe PID 4600 wrote to memory of 1032 4600 OpenWith.exe AcroRd32.exe PID 4600 wrote to memory of 1032 4600 OpenWith.exe AcroRd32.exe PID 1032 wrote to memory of 4588 1032 AcroRd32.exe RdrCEF.exe PID 1032 wrote to memory of 4588 1032 AcroRd32.exe RdrCEF.exe PID 1032 wrote to memory of 4588 1032 AcroRd32.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 5036 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe PID 4588 wrote to memory of 4904 4588 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mobelejen.apk1⤵
- Modifies registry class
PID:4140
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\mobelejen.apk"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EAFC038AF2A5A168ECD6FB21D1D69492 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=38EE6BA919AE123BE1CC8F60699243BB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=38EE6BA919AE123BE1CC8F60699243BB --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:4904 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C9013F7B216CB527EDA8BC9AC1609BF3 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:3076 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=77DF6C909EF1C0B07EA3015D7925B48B --mojo-platform-channel-handle=1876 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FF03A9B3D8E6F7A39889379598774ACE --mojo-platform-channel-handle=2508 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:5116
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2492
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD52dfa537d7e7d11c7781652cf2ed49a6f
SHA1f6b77ccf66633ed19c707364e90b7b9be2e517c3
SHA25609efc6acacca137ee3d416e4f8f25820fde2508012a5d1be643044f05e1d294b
SHA512ddeb30d036d0e096393b90b9db04901525a68c08e0de7faebb921461f4b60c56f34fe5e1677f5328f64456a0e1de8b84b2c180ddea97daa29992140099d8672d