Overview
overview
10Static
static
3Ransom.Win...wn.vbs
windows7-x64
Ransom.Win...wn.vbs
windows10-2004-x64
Ransom.Win...wn.vbs
windows10-ltsc 2021-x64
Ransom.Win...wn.vbs
windows11-21h2-x64
Ransom.Win...rX.vbs
windows7-x64
10Ransom.Win...rX.vbs
windows10-2004-x64
10Ransom.Win...rX.vbs
windows10-ltsc 2021-x64
10Ransom.Win...rX.vbs
windows11-21h2-x64
10other malw...0r.exe
windows7-x64
10other malw...0r.exe
windows10-2004-x64
10other malw...0r.exe
windows10-ltsc 2021-x64
10other malw...0r.exe
windows11-21h2-x64
10other malw...pe.exe
windows7-x64
3other malw...pe.exe
windows10-2004-x64
other malw...pe.exe
windows10-ltsc 2021-x64
other malw...pe.exe
windows11-21h2-x64
other malw...rm.vbs
windows7-x64
1other malw...rm.vbs
windows10-2004-x64
1other malw...rm.vbs
windows10-ltsc 2021-x64
1other malw...rm.vbs
windows11-21h2-x64
1Analysis
-
max time kernel
4s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
Ransom.Win32.LCrypt0rX.A/LCrypt0rX with shutdown.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Ransom.Win32.LCrypt0rX.A/LCrypt0rX with shutdown.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Ransom.Win32.LCrypt0rX.A/LCrypt0rX with shutdown.vbs
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
Ransom.Win32.LCrypt0rX.A/LCrypt0rX with shutdown.vbs
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Ransom.Win32.LCrypt0rX.A/LCrypt0rX.vbs
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Ransom.Win32.LCrypt0rX.A/LCrypt0rX.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Ransom.Win32.LCrypt0rX.A/LCrypt0rX.vbs
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral8
Sample
Ransom.Win32.LCrypt0rX.A/LCrypt0rX.vbs
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
other malware cuz why not/[email protected]
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
other malware cuz why not/[email protected]
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
other malware cuz why not/[email protected]
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral12
Sample
other malware cuz why not/[email protected]
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
other malware cuz why not/NoEscape.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
other malware cuz why not/NoEscape.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
other malware cuz why not/NoEscape.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral16
Sample
other malware cuz why not/NoEscape.exe
Resource
win11-20241023-en
Behavioral task
behavioral17
Sample
other malware cuz why not/loveletterworm.vbs
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
other malware cuz why not/loveletterworm.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
other malware cuz why not/loveletterworm.vbs
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral20
Sample
other malware cuz why not/loveletterworm.vbs
Resource
win11-20241007-en
Errors
General
-
Target
Ransom.Win32.LCrypt0rX.A/LCrypt0rX with shutdown.vbs
-
Size
21KB
-
MD5
ccfb22a0d55543947874bc9b607c7843
-
SHA1
b956bda2cb1484dd81a858a20b6f352738b7520a
-
SHA256
709f205ac793546c11dab288eebec677f14b61c1e290ba48c8694e199c55ec42
-
SHA512
987888a30fdd10957c00c0cf34197ff9e261dc364251a778e758248a298782555b071b1a9ac693d253ae91a3ee72c2bb4114a9462fc3fe9e574752eaa9b82a06
-
SSDEEP
384:tegbplStxYHQHSH7l+icj1F2Z2vXQayXwA+9xQ+E6z:b2T2hJ+Em
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 6 3020 wscript.exe 10 3020 wscript.exe -
Blocks application from running via registry modification 3 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wscript.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wins32BugFix = "C:\\Windows\\System32\\wins32bugfix.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransom.Win32.LCrypt0rX.A\\LCrypt0rX with shutdown.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamthedoom = "C:\\Windows\\System32\\iamthedoom.bat" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpamScript = "C:\\Windows\\System32\\haha.vbs" wscript.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\System32\iamthedoom.bat wscript.exe File opened for modification C:\Windows\System32\iamthedoom.bat wscript.exe File created C:\Windows\System32\haha.vbs wscript.exe File opened for modification C:\Windows\System32\haha.vbs wscript.exe File created C:\Windows\System32\wins32bugfix.vbs wscript.exe File opened for modification C:\Windows\System32\wins32bugfix.vbs wscript.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\gcrybground.png" wscript.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2324 vssadmin.exe -
Kills process with taskkill 4 IoCs
pid Process 4040 taskkill.exe 5460 taskkill.exe 540 taskkill.exe 3308 taskkill.exe -
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Control Panel\Mouse wscript.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop wscript.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1980 notepad.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5016 mspaint.exe 5016 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 2408 vssvc.exe Token: SeRestorePrivilege 2408 vssvc.exe Token: SeAuditPrivilege 2408 vssvc.exe Token: SeDebugPrivilege 3308 taskkill.exe Token: SeDebugPrivilege 4040 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5016 mspaint.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4496 wrote to memory of 3020 4496 WScript.exe 84 PID 4496 wrote to memory of 3020 4496 WScript.exe 84 PID 3020 wrote to memory of 2660 3020 wscript.exe 85 PID 3020 wrote to memory of 2660 3020 wscript.exe 85 PID 2660 wrote to memory of 2324 2660 cmd.exe 87 PID 2660 wrote to memory of 2324 2660 cmd.exe 87 PID 3020 wrote to memory of 1980 3020 wscript.exe 90 PID 3020 wrote to memory of 1980 3020 wscript.exe 90 PID 3020 wrote to memory of 3120 3020 wscript.exe 95 PID 3020 wrote to memory of 3120 3020 wscript.exe 95 PID 3020 wrote to memory of 3572 3020 wscript.exe 96 PID 3020 wrote to memory of 3572 3020 wscript.exe 96 PID 3020 wrote to memory of 3396 3020 wscript.exe 98 PID 3020 wrote to memory of 3396 3020 wscript.exe 98 PID 3020 wrote to memory of 3624 3020 wscript.exe 99 PID 3020 wrote to memory of 3624 3020 wscript.exe 99 PID 3020 wrote to memory of 3308 3020 wscript.exe 100 PID 3020 wrote to memory of 3308 3020 wscript.exe 100 PID 3572 wrote to memory of 5016 3572 cmd.exe 102 PID 3572 wrote to memory of 5016 3572 cmd.exe 102 PID 3396 wrote to memory of 4188 3396 wscript.exe 103 PID 3396 wrote to memory of 4188 3396 wscript.exe 103 PID 3624 wrote to memory of 4040 3624 wscript.exe 104 PID 3624 wrote to memory of 4040 3624 wscript.exe 104 PID 4188 wrote to memory of 5240 4188 wscript.exe 108 PID 4188 wrote to memory of 5240 4188 wscript.exe 108 -
System policy modification 1 TTPs 15 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX with shutdown.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX with shutdown.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2324
-
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1980
-
-
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters3⤵PID:3120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\iamthedoom.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\system32\mspaint.exemspaint4⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js4⤵PID:5648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd49d246f8,0x7ffd49d24708,0x7ffd49d247185⤵PID:5888
-
-
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs5⤵PID:5240
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs6⤵PID:5440
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs7⤵PID:5656
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs8⤵PID:6128
-
-
-
-
-
-
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Windows\System32\wins32bugfix.vbs3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM powershell.exe /F4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F4⤵
- Kills process with taskkill
PID:5460
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM cmd.exe /F4⤵
- Kills process with taskkill
PID:540
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 03⤵PID:5664
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:5256
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38ca055 /state1:0x41c64e6d1⤵PID:5856
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
Filesize
263B
MD53ef0278e79a3b141585b0eb66d965dcd
SHA12c5a34b067b368adcb8daad4b6ead6c4a1a2ef26
SHA256defe7e5a9ae1aa925ca79cc6f7b1c56368bcf21b48668e1161449ed96bb6774a
SHA512b21fcb3dfc37680fe6669818505101fff46a0848a5406e5e94c5dbe4c6031bb47cfe4763d21fa8d966c8e09e8e5050c4e35bc1f0cfdedcb6cb63bec9db34221c
-
Filesize
1KB
MD5f2a256e463d8b95880579574a96ed06e
SHA10148ad8f4a38a303fc58ff7bf543b9fd2da6cdad
SHA256d8c9882db9ff81f39e227378a1476d27075b8aa63e3c7ac31ab79b35a1f63915
SHA5123ac57af6f83ad83d63689c1f9868829cf83220d98b278da267ba4c8398fa541afff38416e1a947aff74963099fdf75c275cb302f3cea120eddd5afc6b9a8b5a1
-
Filesize
431B
MD57f577772568e8e2166472cfc8576f2a5
SHA119f00b639e0456bc990c2506d4e9d516f57a56c3
SHA256de6bdd7e830e1df26ded7aee443e494869390dd08f2f14de277c4eb56699f640
SHA51231f06800905fa4031d00c28a003059afa385dcaa4cff606a7805cbada80fdae2ad5518f5939d9a31c9a51dd9a0ea0af1cdb0b9e292d324023dcfbf227d7e47a9
-
Filesize
496B
MD5e2d836beba8f0d92022fc8c07d42f684
SHA1ca8904c7281ff138afbbb2690862a54ebdbd53e7
SHA2562581cbeb3f35d83a6f90ed208a1f3ac8e59efbbeafbaab11c9d2b66c2333e1a3
SHA512ead612bde359a4d0d7b305f8aeaee4d46595c8cbfbfecd0ff76c7dbc1b0156e2a6d5df76787c2c07134df1d4d0122f2b61a51b3287c026ec1e202228f0248ad7