Analysis Overview
SHA256
4960838a390adf1ea412850ca14f15ce7c201fa967c0089df97742ee517ed0fe
Threat Level: Known bad
The file Solara.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Gurcu, WhiteSnake
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Gathers system information
Suspicious use of AdjustPrivilegeToken
Gathers network information
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 14:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 14:30
Reported
2024-10-14 14:39
Platform
win10v2004-20241007-en
Max time kernel
507s
Max time network
506s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gurcu, WhiteSnake
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk | C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk | C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe"
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperV21.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe" --isUpdate true
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c ipconfig /all
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SYSTEM32\CMD.EXE
"CMD.EXE"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | getsolara.dev | udp |
| US | 104.21.93.27:443 | getsolara.dev | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.93.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:6463 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 79c62fd6.solaraweb-alj.pages.dev | udp |
| US | 172.66.44.59:443 | 79c62fd6.solaraweb-alj.pages.dev | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.44.66.172.in-addr.arpa | udp |
| US | 104.21.93.27:443 | getsolara.dev | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| N/A | 127.0.0.1:1764 | tcp | |
| US | 8.8.8.8:53 | cash-hispanic.gl.at.ply.gg | udp |
| US | 147.185.221.23:1764 | cash-hispanic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 23.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.23:1764 | cash-hispanic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 147.185.221.23:1764 | cash-hispanic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:1764 | tcp | |
| N/A | 127.0.0.1:1764 | tcp | |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1764 | tcp | |
| US | 147.185.221.23:1764 | cash-hispanic.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe
| MD5 | b3a1a7ef45c3a920f515adc541ee75f4 |
| SHA1 | fa69e1c57709dfa076e792509e6c77d297e47664 |
| SHA256 | 5cb0406be361324ecaeaa54238d82b24dffdfff8ae35dd2a59301e83e71d9d79 |
| SHA512 | 8628cbac85e04d9f0ada20e6f46c74d3e22edda7095043e1f61bcfd7836b54f29f4dde6de6c72309fd8f7cf66a2d69d1fe7288914a213c35b1d40f7d98e4271c |
memory/3100-16-0x00007FFB75EA3000-0x00007FFB75EA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
| MD5 | 4b94b989b0fe7bec6311153b309dfe81 |
| SHA1 | bb50a4bb8a66f0105c5b74f32cd114c672010b22 |
| SHA256 | 7c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659 |
| SHA512 | fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d |
memory/3100-22-0x0000000000D90000-0x0000000000DAA000-memory.dmp
memory/3008-26-0x0000018F73120000-0x0000018F731EE000-memory.dmp
memory/3008-27-0x00007FFB75EA0000-0x00007FFB76961000-memory.dmp
memory/3008-29-0x0000018F73650000-0x0000018F73672000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svllydkz.jf2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | a43e653ffb5ab07940f4bdd9cc8fade4 |
| SHA1 | af43d04e3427f111b22dc891c5c7ee8a10ac4123 |
| SHA256 | c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe |
| SHA512 | 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1f8b23cd03fdfb5d4559ac10c445b89f |
| SHA1 | cea378877687b1967095d5237e3c0111929f012d |
| SHA256 | f1bb0869c1d26c4282aa06a4840a9ca86e9145c136af42bb85b6d2e77e684551 |
| SHA512 | 3ffe559e174f4706d3e7681f0d88d53dfde5eef56ee5005ccf7b3036a5d6ba85e02fa4d0cb213d237afcb894d79fbe673b18f986f57db2904558f447e42fe550 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0256bd284691ed0fc502ef3c8a7e58dc |
| SHA1 | dcdf69dc8ca8bf068f65d20ef1563bbe283e2413 |
| SHA256 | e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf |
| SHA512 | c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10890cda4b6eab618e926c4118ab0647 |
| SHA1 | 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d |
| SHA256 | 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14 |
| SHA512 | a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221 |
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe
| MD5 | 2a4dcf20b82896be94eb538260c5fb93 |
| SHA1 | 21f232c2fd8132f8677e53258562ad98b455e679 |
| SHA256 | ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a |
| SHA512 | 4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288 |
memory/3008-86-0x00007FFB75EA0000-0x00007FFB76961000-memory.dmp
memory/1956-88-0x0000020008E50000-0x0000020008F1E000-memory.dmp
memory/3100-93-0x00007FFB75EA0000-0x00007FFB76961000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DISCORD
| MD5 | 487ab53955a5ea101720115f32237a45 |
| SHA1 | c59d22f8bc8005694505addef88f7968c8d393d3 |
| SHA256 | d64354a111fd859a08552f6738fecd8c5594475e8c03bb37546812a205d0d368 |
| SHA512 | 468689d98645c9f32813d833a07bbcf96fe0de4593f4f4dc6757501fbce8e9951d21a8aa4a7050a87a904d203f521134328d426d4e6ab9f20e7e759769003b7c |
memory/3100-96-0x00007FFB75EA3000-0x00007FFB75EA5000-memory.dmp
memory/3100-100-0x00007FFB75EA0000-0x00007FFB76961000-memory.dmp
memory/3100-101-0x000000001C420000-0x000000001C42C000-memory.dmp
memory/3100-102-0x0000000002FD0000-0x0000000002FDA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/3100-108-0x00007FFB75EA0000-0x00007FFB76961000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 83685d101174171875b4a603a6c2a35c |
| SHA1 | 37be24f7c4525e17fa18dbd004186be3a9209017 |
| SHA256 | 0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870 |
| SHA512 | 005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 47605a4dda32c9dff09a9ca441417339 |
| SHA1 | 4f68c895c35b0dc36257fc8251e70b968c560b62 |
| SHA256 | e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a |
| SHA512 | b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d013b69d1a8bc44a599a20aa767332ed |
| SHA1 | 9949c222e8664c419294d6bd5ca13184b2b2e3c8 |
| SHA256 | 9fcb62333faf9fae34f4e882c6af4065a233063fbdf9a550ac849d650573463c |
| SHA512 | 3554c4ea46dea441d9ea98e24c55f71e7d75490b38a5ab81a3d7d267e85ceaa6f6a38dc339f2eed6544c2bb744ae16b2de69f6a2c74e56782c8e6a1782d996d7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4920f7bec7cdb8ac44637a6af9d2fc6f |
| SHA1 | d4c5e3c9397926ec9bdaccdd955e89f5138b1816 |
| SHA256 | 8cc607eab702c5690ee5d64f5d34add46b7093c23751506dad728853a434a277 |
| SHA512 | 321e8178ebd08d680c6d1af467ab73e3055af8c8bb06ee81b1af46bd6718e5a060c339da5a281028c2557ab8d85172921e10363ccd8d411aa0e75f62119838d7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
| MD5 | f52422154c6f23f86e47f6c02639e13a |
| SHA1 | ea40834eb447a4d0a315f6966fe1b83038fefa80 |
| SHA256 | 1562698dbedfb40423803999a408d9596a02d9231298b857822057ce0a72c8ef |
| SHA512 | 5158405a93c40b0403669d066025b824c1100c038f420bc4916bfc6c34e44dd3d453618c39dc23770438f161fd0cf1c65194bb841e1f053c9118e5bb973a2b6c |