Malware Analysis Report

2024-11-15 07:53

Sample ID 241109-zq55bsvmdp
Target d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA256 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
Tags
cryptolocker discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

Threat Level: Known bad

The file d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9 was found to be: Known bad.

Malicious Activity Summary

cryptolocker discovery persistence ransomware

CryptoLocker

Cryptolocker family

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:56

Reported

2024-11-09 20:58

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"

Signatures

CryptoLocker

ransomware cryptolocker

Cryptolocker family

cryptolocker

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2248 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2248 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2248 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 3040 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 3040 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 3040 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 3040 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe

"C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000000C8

Network

Country Destination Domain Proto
US 184.164.136.134:80 tcp
US 8.8.8.8:53 dfrpkielsaogag.org udp
US 162.249.64.57:80 dfrpkielsaogag.org tcp
US 8.8.8.8:53 ejwopnkxpsucqu.co.uk udp
US 8.8.8.8:53 eathdsfmjckway.info udp
US 8.8.8.8:53 feygixlyguqsae.com udp
US 8.8.8.8:53 nbbicjxcgcjyba.net udp
US 8.8.8.8:53 bqgtyrlqtlxujo.biz udp
US 8.8.8.8:53 psdletypuostdn.ru udp
US 8.8.8.8:53 diiwbcmeixhpcl.org udp
US 162.249.64.57:80 diiwbcmeixhpcl.org tcp
US 8.8.8.8:53 jdfvoeoaibcwtk.co.uk udp
US 8.8.8.8:53 wskhlmcovkqscg.info udp
US 8.8.8.8:53 luhyqopnwnlrdq.com udp
US 8.8.8.8:53 ykmknwdckwancv.net udp
US 8.8.8.8:53 vfjityxridvuxs.biz udp
US 8.8.8.8:53 wjohyhnbvbkixt.ru udp
US 8.8.8.8:53 xwllvjyfwpfpar.org udp
US 8.8.8.8:53 ybqkbrookntdqf.co.uk udp
US 8.8.8.8:53 rhnvgtopkcoscw.info udp
US 8.8.8.8:53 slsulceyxadgcf.com udp
US 8.8.8.8:53 typyiepdyoxnlo.net udp
US 8.8.8.8:53 uduxnmfmmmmbcj.biz udp
US 8.8.8.8:53 lueadrioraqn.ru udp
US 8.8.8.8:53 yiyllwsvlneh.org udp
US 8.8.8.8:53 mtcgyideutya.co.uk udp
US 8.8.8.8:53 ahwrhnnlohmt.info udp
US 8.8.8.8:53 jljxvyjpfmoq.com udp
US 8.8.8.8:53 wyejeetwyack.net udp
US 8.8.8.8:53 kkherpefigwd.biz udp
US 8.8.8.8:53 xxcpauomctkw.ru udp
US 8.8.8.8:53 pcomggpgyfgh.org udp
US 8.8.8.8:53 qejmalcisnvw.co.uk udp
US 8.8.8.8:53 qbmscwkvcyot.info udp
US 8.8.8.8:53 rdhsvcwxvhej.com udp
US 8.8.8.8:53 nstkynqhmrek.net udp
US 8.8.8.8:53 ouokssdjgata.biz udp
US 8.8.8.8:53 orrquelwplmw.ru udp
US 8.8.8.8:53 ptmqojxyjtcm.org udp
US 8.8.8.8:53 rvwcxnhfpbbl.co.uk udp
US 8.8.8.8:53 fjrngvbsgukb.info udp
US 8.8.8.8:53 truswechqdok.com udp
US 8.8.8.8:53 hfpefmvuhwxa.net udp
US 8.8.8.8:53 pmcaquigdnyo.biz udp
US 8.8.8.8:53 dawlydctthie.ru udp
US 8.8.8.8:53 riaqpldiepmn.org udp
US 8.8.8.8:53 fvucxtwvujvd.co.uk udp
US 8.8.8.8:53 vdhobcolwgmb.info udp
US 8.8.8.8:53 wfcoukkqnugu.com udp
US 8.8.8.8:53 xyffasjnxiaa.net udp
US 8.8.8.8:53 ybaftbfsowtt.biz udp
US 8.8.8.8:53 ttmmtjpmkske.ru udp
US 8.8.8.8:53 uvhmnrlrbhex.org udp
US 8.8.8.8:53 vpkdsakoluxd.co.uk udp
US 8.8.8.8:53 wrfdmigtcjrw.info udp
US 8.8.8.8:53 iwmosvsedxye.com udp
US 8.8.8.8:53 vkhabbdlwlmx.net udp
US 8.8.8.8:53 jvkuogggjdkh.biz udp
US 8.8.8.8:53 wjfgwlqndqxb.ru udp
US 8.8.8.8:53 ehrgrdvrmplx.org udp
US 8.8.8.8:53 rumraigygdyr.co.uk udp
US 8.8.8.8:53 fgpmnnjtsuwb.info udp
US 8.8.8.8:53 stkxvstbmiku.com udp
US 8.8.8.8:53 mewbvkavkdox.net udp
US 8.8.8.8:53 ngrbppmxelen.biz udp
US 8.8.8.8:53 nduhrunxqiab.ru udp
US 8.8.8.8:53 ofphlaaakqpq.org udp
US 8.8.8.8:53 iocsurdjtubr.co.uk udp
US 8.8.8.8:53 jqwsowplndqh.info udp
US 8.8.8.8:53 jnayqcqlaamu.com udp
US 8.8.8.8:53 kpuykhdntick.net udp
US 8.8.8.8:53 oxfqnrrxbwmu.biz udp
US 8.8.8.8:53 clacvallrqvk.ru udp
US 8.8.8.8:53 qtdhmcfgfowd.org udp
US 8.8.8.8:53 ehxsukytvigs.co.uk udp
US 8.8.8.8:53 kikimyulkoyo.info udp
US 8.8.8.8:53 xvftuhoybiie.com udp
US 8.8.8.8:53 meiyljitogjw.net udp
US 8.8.8.8:53 ardktrchfasm.biz udp
US 8.8.8.8:53 sfpdqgyeicxk.ru udp
US 8.8.8.8:53 thkdkoujyqre.org udp
US 8.8.8.8:53 ubntpqmmmtis.co.uk udp
US 8.8.8.8:53 vditjyirdicm.info udp
US 8.8.8.8:53 opuupncrrtke.com udp
US 8.8.8.8:53 prpujvxwiiex.net udp
US 8.8.8.8:53 qlsloxpavlum.biz udp
US 8.8.8.8:53 rnnliglfmaog.ru udp
US 8.8.8.8:53 udp

Files

\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

MD5 04fb36199787f2e3e2135611a38321eb
SHA1 65559245709fe98052eb284577f1fd61c01ad20d
SHA256 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512 533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:56

Reported

2024-11-09 20:58

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"

Signatures

CryptoLocker

ransomware cryptolocker

Cryptolocker family

cryptolocker

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe

"C:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe"

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 184.164.136.134:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 rnowjdwpphiat.com udp
US 8.8.8.8:53 gvrgnlxbrhctn.net udp
US 8.8.8.8:53 tjmrvtroibljm.biz udp
US 8.8.8.8:53 kyarncjhdjffl.ru udp
US 8.8.8.8:53 lburhkfmtxyyl.org udp
US 8.8.8.8:53 muxmasegvdiou.co.uk udp
US 8.8.8.8:53 nwsmtbalmrcil.info udp
US 8.8.8.8:53 ihexejkigskal.com udp
US 8.8.8.8:53 jjyxxrgnwhetl.net udp
US 8.8.8.8:53 kdcsqafhymnjn.biz udp
US 8.8.8.8:53 lfwskibmpbhde.ru udp
US 8.8.8.8:53 ncymsslwbycpg.org udp
US 8.8.8.8:53 bptxbxveumpjf.co.uk udp
US 8.8.8.8:53 obwwcdyvpqydy.info udp
US 8.8.8.8:53 corikijdjemwh.com udp
US 8.8.8.8:53 jedvtaokahork.net udp
US 8.8.8.8:53 wrxhcfyrtuclj.biz udp
US 8.8.8.8:53 kdbgdkcjoylfk.ru udp
US 8.8.8.8:53 xqvrlpmqimyys.org udp
US 8.8.8.8:53 rjjyvhsoierjo.co.uk udp
US 8.8.8.8:53 sleypmfqcmhyf.info udp
US 8.8.8.8:53 sihjfrgnwvowh.com udp
US 8.8.8.8:53 tkcjywspqeemh.net udp
US 8.8.8.8:53 nlniwovchmelh.biz udp
US 8.8.8.8:53 oniiqtiebutbx.ru udp
US 8.8.8.8:53 oklsgyjbvebyh.org udp
US 8.8.8.8:53 pmgsaevdpmqoh.co.uk udp
US 8.8.8.8:53 tdronqvmreoig.info udp
US 8.8.8.8:53 70.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 hqmavypaixxxo.com udp
US 8.8.8.8:53 vypjabjxelmji.net udp
US 8.8.8.8:53 jmkuijdlufvyh.biz udp
US 8.8.8.8:53 pfvxoxyaqmbkk.ru udp
US 8.8.8.8:53 dsqjwgsnhgkas.org udp
US 8.8.8.8:53 rbtsbimldtylt.co.uk udp
US 8.8.8.8:53 fooejqgytnibs.info udp
US 8.8.8.8:53 xkcbqfdsyjaxr.com udp
US 8.8.8.8:53 ymwbknyxpxtrr.net udp
US 8.8.8.8:53 agavdpqelqxyt.biz udp
US 8.8.8.8:53 biuvwxmjcfrsk.ru udp
US 8.8.8.8:53 tmgkrmggxrmak.org udp
US 8.8.8.8:53 uobklucloggtk.co.uk udp
US 8.8.8.8:53 viefewtrkykbt.info udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 wkyfxfpwbneuk.com udp
US 8.8.8.8:53 yfqekvvnphevt.net udp
US 8.8.8.8:53 murngbgutswps.biz udp
US 8.8.8.8:53 aeootmqgkhvbt.ru udp
US 8.8.8.8:53 ntpxprbnosouc.org udp
US 8.8.8.8:53 wnukbqnpfaapt.co.uk udp
US 8.8.8.8:53 kdvtwvxwjlsjs.info udp
US 8.8.8.8:53 xmsukhiiaarum.com udp
US 8.8.8.8:53 lctegmspelkou.net udp
US 8.8.8.8:53 habwckydotfiq.biz udp
US 8.8.8.8:53 iecyiplfslwth.ru udp
US 8.8.8.8:53 iyyhlbtvjtwnq.org udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 jdajrggxnloyq.co.uk udp
US 8.8.8.8:53 fifdsfqfembcc.info udp
US 8.8.8.8:53 gmgfykdhiesns.com udp
US 8.8.8.8:53 ghdncvlxymshu.net udp
US 8.8.8.8:53 hlepibxadeksu.biz udp
US 8.8.8.8:53 fgjgftggadfkr.ru udp
US 8.8.8.8:53 svkpbcatnjgva.org udp
US 8.8.8.8:53 hchbrkbfswitb.co.uk udp
US 8.8.8.8:53 uriknsusgdjfa.info udp
US 8.8.8.8:53 donmvoxipvber.com udp
US 8.8.8.8:53 qeovrwrvdccpa.net udp
US 8.8.8.8:53 fklhifshipent.biz udp
US 8.8.8.8:53 samqenmuvvfys.ru udp
US 8.8.8.8:53 nbtywijkypoor.org udp
US 8.8.8.8:53 ofubdqfpmcxir.co.uk udp
US 8.8.8.8:53 pwrtjyejrjrxb.info udp
US 8.8.8.8:53 qbsvphaofvbrr.com udp
US 8.8.8.8:53 ljxfndbmoikid.net udp
US 8.8.8.8:53 mnyhtlwrcutcd.biz udp
US 8.8.8.8:53 nfvaatvlhcnrf.ru udp
US 8.8.8.8:53 ojwcgcrquowlv.org udp
US 8.8.8.8:53 mqsnnyrvljkdt.co.uk udp
US 8.8.8.8:53 agtwjecdpudws.info udp
US 8.8.8.8:53 npqxwjfuabhqm.com udp
US 8.8.8.8:53 bfrhsopcemaku.net udp
US 8.8.8.8:53 iswwothwwsggm.biz udp
US 8.8.8.8:53 vixgkyrebeyal.ru udp
US 8.8.8.8:53 jruhxeuvlkdtm.org udp
US 8.8.8.8:53 whvqtjfdpvvnu.co.uk udp
US 8.8.8.8:53 uldgfnulkvlpq.info udp
US 8.8.8.8:53 vpeilshnondbh.com udp
US 8.8.8.8:53 vkbqoxikynidj.net udp
US 8.8.8.8:53 wocsudumdfaoj.biz udp
US 8.8.8.8:53 qnhpgikmvfhsu.ru udp
US 8.8.8.8:53 rrirmnwoawyel.org udp
US 8.8.8.8:53 rmfapsxlkwegu.co.uk udp
US 8.8.8.8:53 sqgcvxknoovru.info udp
US 8.8.8.8:53 srlpiwclvhqxt.com udp
US 8.8.8.8:53 ghmyefvyjnrjc.net udp
US 8.8.8.8:53 unjkuhpwiooyv.biz udp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp
US 8.8.8.8:53 idktqpjkvupku.ru udp
US 8.8.8.8:53 otpyjrrmhqmbm.org udp
US 8.8.8.8:53 cjqifalauwnmu.co.uk udp
US 8.8.8.8:53 qpntvcfxtxkcv.info udp
US 8.8.8.8:53 efodrkylhelnu.com udp
US 8.8.8.8:53 bmvialfputact.net udp
US 8.8.8.8:53 cqwkgtbuigjvt.biz udp
US 8.8.8.8:53 ditdmvsbhbxdv.ru udp
US 8.8.8.8:53 emufseogunhwm.org udp
US 8.8.8.8:53 woarbguqgdvfx.co.uk udp
US 8.8.8.8:53 xsbthoqvtpfyx.info udp
US 8.8.8.8:53 ykxmnqicsktgh.com udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

MD5 04fb36199787f2e3e2135611a38321eb
SHA1 65559245709fe98052eb284577f1fd61c01ad20d
SHA256 d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512 533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444