Analysis

  • max time kernel
    50s
  • max time network
    90s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17/11/2024, 15:09

General

  • Target

    Discord.rar

  • Size

    2.1MB

  • MD5

    2a605d92acf5b0f402b51eb4cd890f88

  • SHA1

    ba95e03eece9d1cf9e6c05f860e8103d7f67672d

  • SHA256

    e811decdc0c746351da7e841174ea7a644c287ae1ca177503f0f18930458e4f2

  • SHA512

    7dc1ec73052a77916b547aa0a819773887a01b52f392c493f59351bf87e4e38e5c979a302dce41fb6f2bb017c975cfedff066490277e43a2c38fc595e736e9aa

  • SSDEEP

    49152:+h208JbvjGu3UlCFj/vr6aOes7+525/3/iSOiZVpXCbI0H+lD:+h21vElCFj/vuaRs7+52lvO8Vp6gD

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 21 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Discord.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5020
  • C:\Program Files\7-Zip\7zG.exe
    "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Discord\" -ad -an -ai#7zMap25000:72:7zEvent15712
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3796
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1216
    • C:\Users\Admin\Desktop\Discord\Prv.exe
      "C:\Users\Admin\Desktop\Discord\Prv.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\system32\ipconfig.exe
          ipconfig /flushdns
          3⤵
          • Gathers network information
          PID:4132
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Block IP"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2572
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall delete rule name="Block IP"
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:4848
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        2⤵
          PID:1280
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=12
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Windows\system32\mode.com
            MODE CON COLS=55 LINES=12
            3⤵
              PID:1696
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:60
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1584
              • C:\Windows\system32\taskkill.exe
                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4580
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:5072
              • C:\Windows\system32\taskkill.exe
                taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:5044
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1380
              • C:\Windows\system32\taskkill.exe
                taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:380
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Windows\system32\sc.exe
                sc stop HTTPDebuggerPro
                3⤵
                • Launches sc.exe
                PID:1708
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2564
              • C:\Windows\system32\taskkill.exe
                taskkill /IM HTTPDebuggerSvc.exe /F
                3⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:792
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
              2⤵
                PID:460
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD5 >> C:\ProgramData\hash.txt
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4612
                • C:\Windows\system32\certutil.exe
                  certutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD5
                  3⤵
                    PID:4620
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4768
                  • C:\Windows\system32\taskkill.exe
                    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                    3⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3784
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                  2⤵
                    PID:4824
                    • C:\Windows\system32\taskkill.exe
                      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                      3⤵
                      • Kills process with taskkill
                      PID:8
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                    2⤵
                      PID:3552
                      • C:\Windows\system32\taskkill.exe
                        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                        3⤵
                        • Kills process with taskkill
                        PID:3780
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                      2⤵
                        PID:2616
                        • C:\Windows\system32\sc.exe
                          sc stop HTTPDebuggerPro
                          3⤵
                          • Launches sc.exe
                          PID:440
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                        2⤵
                          PID:1476
                          • C:\Windows\system32\taskkill.exe
                            taskkill /IM HTTPDebuggerSvc.exe /F
                            3⤵
                            • Kills process with taskkill
                            PID:3004
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                          2⤵
                            PID:3880
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                            2⤵
                              PID:1820
                              • C:\Windows\system32\taskkill.exe
                                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                3⤵
                                • Kills process with taskkill
                                PID:4700
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                              2⤵
                                PID:3796
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                  3⤵
                                  • Kills process with taskkill
                                  PID:1748
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                2⤵
                                  PID:4056
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                    3⤵
                                    • Kills process with taskkill
                                    PID:2572
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                  2⤵
                                    PID:1760
                                    • C:\Windows\system32\sc.exe
                                      sc stop HTTPDebuggerPro
                                      3⤵
                                      • Launches sc.exe
                                      PID:1092
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                    2⤵
                                      PID:836
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /IM HTTPDebuggerSvc.exe /F
                                        3⤵
                                        • Kills process with taskkill
                                        PID:4980
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                      2⤵
                                        PID:2448
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c cls
                                        2⤵
                                          PID:3096
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                          2⤵
                                            PID:1104
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                              3⤵
                                              • Kills process with taskkill
                                              PID:4976
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                            2⤵
                                              PID:4620
                                              • C:\Windows\system32\taskkill.exe
                                                taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                3⤵
                                                • Kills process with taskkill
                                                PID:3876
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                              2⤵
                                                PID:2140
                                                • C:\Windows\system32\taskkill.exe
                                                  taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                  3⤵
                                                  • Kills process with taskkill
                                                  PID:3880
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                2⤵
                                                  PID:3076
                                                  • C:\Windows\system32\sc.exe
                                                    sc stop HTTPDebuggerPro
                                                    3⤵
                                                    • Launches sc.exe
                                                    PID:1688
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                  2⤵
                                                    PID:2136
                                                • C:\Users\Admin\Desktop\Discord\Prv.exe
                                                  "C:\Users\Admin\Desktop\Discord\Prv.exe"
                                                  1⤵
                                                    PID:2160
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ipconfig /flushdns
                                                      2⤵
                                                        PID:3996
                                                        • C:\Windows\system32\ipconfig.exe
                                                          ipconfig /flushdns
                                                          3⤵
                                                          • Gathers network information
                                                          PID:3156
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name="Block IP"
                                                        2⤵
                                                          PID:3728
                                                          • C:\Windows\system32\netsh.exe
                                                            netsh advfirewall firewall delete rule name="Block IP"
                                                            3⤵
                                                            • Modifies Windows Firewall
                                                            PID:3372
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c cls
                                                          2⤵
                                                            PID:3740
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c MODE CON COLS=55 LINES=12
                                                            2⤵
                                                              PID:3228
                                                              • C:\Windows\system32\mode.com
                                                                MODE CON COLS=55 LINES=12
                                                                3⤵
                                                                  PID:4692
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c cls
                                                                2⤵
                                                                  PID:2124
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                                  2⤵
                                                                    PID:3848
                                                                    • C:\Windows\system32\taskkill.exe
                                                                      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                      3⤵
                                                                      • Kills process with taskkill
                                                                      PID:4800
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                    2⤵
                                                                      PID:192
                                                                      • C:\Windows\system32\taskkill.exe
                                                                        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                        3⤵
                                                                        • Kills process with taskkill
                                                                        PID:1492
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                      2⤵
                                                                        PID:920
                                                                        • C:\Windows\system32\taskkill.exe
                                                                          taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                          3⤵
                                                                          • Kills process with taskkill
                                                                          PID:616
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                                        2⤵
                                                                          PID:2476
                                                                          • C:\Windows\system32\sc.exe
                                                                            sc stop HTTPDebuggerPro
                                                                            3⤵
                                                                            • Launches sc.exe
                                                                            PID:4432
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                                          2⤵
                                                                            PID:4616
                                                                            • C:\Windows\system32\taskkill.exe
                                                                              taskkill /IM HTTPDebuggerSvc.exe /F
                                                                              3⤵
                                                                              • Kills process with taskkill
                                                                              PID:1976
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                            2⤵
                                                                              PID:4760
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c certutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD5 >> C:\ProgramData\hash.txt
                                                                              2⤵
                                                                                PID:3792
                                                                                • C:\Windows\system32\certutil.exe
                                                                                  certutil -hashfile C:\Users\Admin\Desktop\Discord\Prv.exe MD5
                                                                                  3⤵
                                                                                    PID:440
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                                                  2⤵
                                                                                    PID:2524
                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                                      3⤵
                                                                                      • Kills process with taskkill
                                                                                      PID:4584
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                                    2⤵
                                                                                      PID:5000
                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                        taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                                        3⤵
                                                                                        • Kills process with taskkill
                                                                                        PID:3292
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                                      2⤵
                                                                                        PID:1164
                                                                                    • C:\Windows\system32\OpenWith.exe
                                                                                      C:\Windows\system32\OpenWith.exe -Embedding
                                                                                      1⤵
                                                                                        PID:888
                                                                                        • C:\Windows\system32\NOTEPAD.EXE
                                                                                          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Discord\SecureEngineSDK64.dll
                                                                                          2⤵
                                                                                          • Opens file in notepad (likely ransom note)
                                                                                          PID:548

                                                                                      Network

                                                                                            MITRE ATT&CK Enterprise v15

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\ProgramData\hash.txt

                                                                                              Filesize

                                                                                              140B

                                                                                              MD5

                                                                                              f55f1f1ae272d0c0f170a5c02f694301

                                                                                              SHA1

                                                                                              9ed3722a92fbc1a40be1a28642d2fa6804586a78

                                                                                              SHA256

                                                                                              d2532e4108591a92ea440d8c48c107c223981d287b129f728edff9e6d2ff256d

                                                                                              SHA512

                                                                                              388c0b9023e96cf3e71e30d10dd8e8c8d5e86e009dca3d609b0da17fd229ac1e24fb8ff704f59d20c5ccc03d7ae2efc6df457bab940937abe494ded47479938a

                                                                                            • C:\Users\Admin\Desktop\Discord\Prv.exe

                                                                                              Filesize

                                                                                              2.2MB

                                                                                              MD5

                                                                                              e66ed4613b57ea69f248d947c78aee5d

                                                                                              SHA1

                                                                                              fe22fd8f8d133d019d5a14737ebce8df93908b89

                                                                                              SHA256

                                                                                              df4f585a8338fb58d6d0d5a611faa30f1bf69ac792a5390e8ec322e6f96af040

                                                                                              SHA512

                                                                                              e9394f6d56b009e55dd7b1ee928641dc6422a201e50131e610a88b91556f2cf75fe1a366725625ce383e0c6d5899232390176c6cd2c6bf4f1cec793a88b8327f

                                                                                            • C:\Users\Admin\Desktop\Discord\SecureEngineSDK64.dll

                                                                                              Filesize

                                                                                              28KB

                                                                                              MD5

                                                                                              84d5311491c5174cc34406ec25fcb1f3

                                                                                              SHA1

                                                                                              c0c2ee8f6e515ef9f29c5de92a86fe7ec3063d7e

                                                                                              SHA256

                                                                                              6f33fd1a9bddc1eca5b73e2909bf63cea0ef96fb707fb6bc715e32b109f30772

                                                                                              SHA512

                                                                                              693bbb170e4a29d2ed3eb0293cf5cc67b2f223c3b365787f6be53f4194b450dd95c86ccb47dd87f72e19f3e3349e61f78ed79561d263e8df3e82714a7b3f02ba

                                                                                            • C:\Users\Admin\Desktop\Discord\libcrypto-3-x64.dll

                                                                                              Filesize

                                                                                              4.9MB

                                                                                              MD5

                                                                                              c8206fdc0701395880c71c7913d1aaf4

                                                                                              SHA1

                                                                                              dc0d885dee996da8cd74d1bee328ca5739af4c5a

                                                                                              SHA256

                                                                                              d7b9362e945a06d53b61d6525c8e87031969fce7156663d102b2b965d69a67cc

                                                                                              SHA512

                                                                                              79ada6f20a9ba11ba0f384322168036d1f842a971e7c6c054e804b6ed01d8f53db372a1da944222fa7dcdd5062a029f3d81a75ee4e5ae4051e029b739e553c57