Malware Analysis Report

2025-01-22 08:54

Sample ID 241027-p724wsxfnd
Target na.doc
SHA256 a0212b7de7b4fd85784ba4e517c7e7f404a0405e7a8ff9d9e8b56d6556c268e5
Tags
collection discovery execution spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a0212b7de7b4fd85784ba4e517c7e7f404a0405e7a8ff9d9e8b56d6556c268e5

Threat Level: Likely malicious

The file na.doc was found to be: Likely malicious.

Malicious Activity Summary

collection discovery execution spyware stealer

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of WriteProcessMemory

outlook_office_path

Enumerates system info in registry

Launches Equation Editor

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 12:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 12:59

Reported

2024-10-27 13:01

Platform

win7-20240903-en

Max time kernel

118s

Max time network

132s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\na.rtf"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2808 set thread context of 2880 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2808 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2768 wrote to memory of 2808 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2768 wrote to memory of 2808 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2768 wrote to memory of 2808 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2844 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2844 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2844 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2844 wrote to memory of 3052 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2808 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2808 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2808 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2808 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2808 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2808 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2808 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2808 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe
PID 2808 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\na.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe

"C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe"

C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe

"C:\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe"

Network

Country Destination Domain Proto
DE 87.120.84.38:80 87.120.84.38 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2844-0-0x000000002F531000-0x000000002F532000-memory.dmp

memory/2844-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2844-2-0x000000007119D000-0x00000000711A8000-memory.dmp

\Users\Admin\AppData\Roaming\zzaspmaxziflow44756.exe

MD5 7cf4240bd89ec48e20692971f910a815
SHA1 a61d58369bb5314ced295fe2af91f5316f145687
SHA256 71b1f19c0d57916d38432bb914a0b57cdf1ef274384981466e3af7b8f2aa1335
SHA512 fd1fbcfe1b45e9391fdc2ef6cd48ddedb1f6eab4bdadce8b9c9d19b82098aa6038ad8aabe588062430cfec24c355541ac2a8632d82933b6ac96c0cc9d721dd52

memory/2808-14-0x0000000000DC0000-0x0000000000E5E000-memory.dmp

memory/2808-15-0x00000000005D0000-0x00000000005EE000-memory.dmp

memory/2844-16-0x000000007119D000-0x00000000711A8000-memory.dmp

memory/2808-17-0x00000000004A0000-0x00000000004FE000-memory.dmp

memory/2880-29-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2880-27-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2880-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2880-24-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2880-22-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2880-20-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2880-18-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2880-31-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 12:59

Reported

2024-10-27 13:01

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\na.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\na.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.27.153:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.140:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 153.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/516-0-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

memory/516-1-0x00007FF93CF8D000-0x00007FF93CF8E000-memory.dmp

memory/516-2-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

memory/516-3-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

memory/516-4-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

memory/516-10-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-5-0x00007FF8FCF70000-0x00007FF8FCF80000-memory.dmp

memory/516-11-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-9-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-12-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-13-0x00007FF8FAD50000-0x00007FF8FAD60000-memory.dmp

memory/516-8-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-15-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-16-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-14-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-20-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-21-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-19-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-18-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-17-0x00007FF8FAD50000-0x00007FF8FAD60000-memory.dmp

memory/516-7-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-6-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-33-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-34-0x00007FF93CF8D000-0x00007FF93CF8E000-memory.dmp

memory/516-35-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

memory/516-36-0x00007FF93CEF0000-0x00007FF93D0E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 c6b143e6f648f554587cbc2acbfd1e5a
SHA1 c78071898eb8dc794eceda65a9477144b98c7754
SHA256 ab75cc8d94a8352264eb12473490581037913156832ffe60a52202f668b6103f
SHA512 4bb792e1dc987393e2cb13f84d4cf48e5b100df08d9202fcf4ec6f7ab0e723502266456da0d0bc0e357f91ff1a4b5c6080fdff011076805e27270dd6dcaf1147

C:\Users\Admin\AppData\Local\Temp\TCDE565.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d