Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 18:24
Behavioral task
behavioral1
Sample
0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe
-
Size
1.5MB
-
MD5
ce218c18aae52502241895cffd1e79e0
-
SHA1
a9d6204f2f6bd024e9946f0b6ffc1447254e88a0
-
SHA256
0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109
-
SHA512
46b2928eaacfb7eb113a905863e973ce9b15fd55eb6cbf70581e3978c8425591d893d8bf98350b0823a22be11af756c7ec5e06e6e00ac1f5e66db5c215b58b9e
-
SSDEEP
12288:Y+Qf9NxkERr1JzrDTzz7wHxhW88KH6Yn77TCNp8jToZGrhR0ZooSR:Ox0j8KaYnfTYp8/oZMGZQ
Score
10/10
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exepid Process 2652 winlogon.exe 2676 winlogon.exe 2928 winlogon.exe -
Loads dropped DLL 7 IoCs
Processes:
0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exewinlogon.exepid Process 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 2652 winlogon.exe 2652 winlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
winlogon.exedescription pid Process procid_target PID 2652 set thread context of 2676 2652 winlogon.exe 35 PID 2652 set thread context of 2928 2652 winlogon.exe 36 -
Processes:
resource yara_rule behavioral1/memory/1320-0-0x0000000000400000-0x000000000058F000-memory.dmp upx behavioral1/files/0x00080000000195c5-27.dat upx behavioral1/memory/1320-46-0x0000000000400000-0x000000000058F000-memory.dmp upx behavioral1/memory/2676-53-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2676-59-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2676-55-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2676-50-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2928-63-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2928-66-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2652-69-0x0000000000400000-0x000000000058F000-memory.dmp upx behavioral1/memory/2928-65-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2676-70-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2676-71-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2928-72-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2676-73-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2676-75-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2676-78-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
winlogon.execmd.exereg.exereg.exewinlogon.execmd.exe0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exereg.exewinlogon.execmd.execmd.execmd.exereg.exereg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid Process 2252 reg.exe 2392 reg.exe 2512 reg.exe 372 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
winlogon.exewinlogon.exedescription pid Process Token: 1 2676 winlogon.exe Token: SeCreateTokenPrivilege 2676 winlogon.exe Token: SeAssignPrimaryTokenPrivilege 2676 winlogon.exe Token: SeLockMemoryPrivilege 2676 winlogon.exe Token: SeIncreaseQuotaPrivilege 2676 winlogon.exe Token: SeMachineAccountPrivilege 2676 winlogon.exe Token: SeTcbPrivilege 2676 winlogon.exe Token: SeSecurityPrivilege 2676 winlogon.exe Token: SeTakeOwnershipPrivilege 2676 winlogon.exe Token: SeLoadDriverPrivilege 2676 winlogon.exe Token: SeSystemProfilePrivilege 2676 winlogon.exe Token: SeSystemtimePrivilege 2676 winlogon.exe Token: SeProfSingleProcessPrivilege 2676 winlogon.exe Token: SeIncBasePriorityPrivilege 2676 winlogon.exe Token: SeCreatePagefilePrivilege 2676 winlogon.exe Token: SeCreatePermanentPrivilege 2676 winlogon.exe Token: SeBackupPrivilege 2676 winlogon.exe Token: SeRestorePrivilege 2676 winlogon.exe Token: SeShutdownPrivilege 2676 winlogon.exe Token: SeDebugPrivilege 2676 winlogon.exe Token: SeAuditPrivilege 2676 winlogon.exe Token: SeSystemEnvironmentPrivilege 2676 winlogon.exe Token: SeChangeNotifyPrivilege 2676 winlogon.exe Token: SeRemoteShutdownPrivilege 2676 winlogon.exe Token: SeUndockPrivilege 2676 winlogon.exe Token: SeSyncAgentPrivilege 2676 winlogon.exe Token: SeEnableDelegationPrivilege 2676 winlogon.exe Token: SeManageVolumePrivilege 2676 winlogon.exe Token: SeImpersonatePrivilege 2676 winlogon.exe Token: SeCreateGlobalPrivilege 2676 winlogon.exe Token: 31 2676 winlogon.exe Token: 32 2676 winlogon.exe Token: 33 2676 winlogon.exe Token: 34 2676 winlogon.exe Token: 35 2676 winlogon.exe Token: SeDebugPrivilege 2928 winlogon.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exewinlogon.exewinlogon.exewinlogon.exepid Process 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 2652 winlogon.exe 2676 winlogon.exe 2676 winlogon.exe 2676 winlogon.exe 2928 winlogon.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.execmd.exewinlogon.exewinlogon.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 1320 wrote to memory of 3012 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 31 PID 1320 wrote to memory of 3012 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 31 PID 1320 wrote to memory of 3012 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 31 PID 1320 wrote to memory of 3012 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 31 PID 3012 wrote to memory of 1052 3012 cmd.exe 33 PID 3012 wrote to memory of 1052 3012 cmd.exe 33 PID 3012 wrote to memory of 1052 3012 cmd.exe 33 PID 3012 wrote to memory of 1052 3012 cmd.exe 33 PID 1320 wrote to memory of 2652 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 34 PID 1320 wrote to memory of 2652 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 34 PID 1320 wrote to memory of 2652 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 34 PID 1320 wrote to memory of 2652 1320 0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe 34 PID 2652 wrote to memory of 2676 2652 winlogon.exe 35 PID 2652 wrote to memory of 2676 2652 winlogon.exe 35 PID 2652 wrote to memory of 2676 2652 winlogon.exe 35 PID 2652 wrote to memory of 2676 2652 winlogon.exe 35 PID 2652 wrote to memory of 2676 2652 winlogon.exe 35 PID 2652 wrote to memory of 2676 2652 winlogon.exe 35 PID 2652 wrote to memory of 2676 2652 winlogon.exe 35 PID 2652 wrote to memory of 2676 2652 winlogon.exe 35 PID 2652 wrote to memory of 2676 2652 winlogon.exe 35 PID 2652 wrote to memory of 2928 2652 winlogon.exe 36 PID 2652 wrote to memory of 2928 2652 winlogon.exe 36 PID 2652 wrote to memory of 2928 2652 winlogon.exe 36 PID 2652 wrote to memory of 2928 2652 winlogon.exe 36 PID 2652 wrote to memory of 2928 2652 winlogon.exe 36 PID 2676 wrote to memory of 1508 2676 winlogon.exe 37 PID 2676 wrote to memory of 1508 2676 winlogon.exe 37 PID 2676 wrote to memory of 1508 2676 winlogon.exe 37 PID 2676 wrote to memory of 1508 2676 winlogon.exe 37 PID 2676 wrote to memory of 2712 2676 winlogon.exe 38 PID 2676 wrote to memory of 2712 2676 winlogon.exe 38 PID 2676 wrote to memory of 2712 2676 winlogon.exe 38 PID 2676 wrote to memory of 2712 2676 winlogon.exe 38 PID 2652 wrote to memory of 2928 2652 winlogon.exe 36 PID 2676 wrote to memory of 2660 2676 winlogon.exe 39 PID 2676 wrote to memory of 2660 2676 winlogon.exe 39 PID 2676 wrote to memory of 2660 2676 winlogon.exe 39 PID 2676 wrote to memory of 2660 2676 winlogon.exe 39 PID 2676 wrote to memory of 2828 2676 winlogon.exe 40 PID 2676 wrote to memory of 2828 2676 winlogon.exe 40 PID 2676 wrote to memory of 2828 2676 winlogon.exe 40 PID 2676 wrote to memory of 2828 2676 winlogon.exe 40 PID 2652 wrote to memory of 2928 2652 winlogon.exe 36 PID 2652 wrote to memory of 2928 2652 winlogon.exe 36 PID 2660 wrote to memory of 2252 2660 cmd.exe 45 PID 2660 wrote to memory of 2252 2660 cmd.exe 45 PID 2660 wrote to memory of 2252 2660 cmd.exe 45 PID 2660 wrote to memory of 2252 2660 cmd.exe 45 PID 2712 wrote to memory of 2392 2712 cmd.exe 46 PID 2712 wrote to memory of 2392 2712 cmd.exe 46 PID 2712 wrote to memory of 2392 2712 cmd.exe 46 PID 2712 wrote to memory of 2392 2712 cmd.exe 46 PID 1508 wrote to memory of 2512 1508 cmd.exe 48 PID 1508 wrote to memory of 2512 1508 cmd.exe 48 PID 1508 wrote to memory of 2512 1508 cmd.exe 48 PID 1508 wrote to memory of 2512 1508 cmd.exe 48 PID 2828 wrote to memory of 372 2828 cmd.exe 47 PID 2828 wrote to memory of 372 2828 cmd.exe 47 PID 2828 wrote to memory of 372 2828 cmd.exe 47 PID 2828 wrote to memory of 372 2828 cmd.exe 47 PID 2652 wrote to memory of 2928 2652 winlogon.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe"C:\Users\Admin\AppData\Local\Temp\0e0103ee9a25015e18f8b3041f68e17a7185bd599d5613fde83df054b4189109N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YWiQc.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1052
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2512
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:372
-
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD54da6717f2c70f4bd32ad33a227a2ff47
SHA13d7f7159e1f695bd469287d1ad4ffa0841b407a8
SHA256a12bb2e5d2fb0b3c400ce311fae72995a00b57a97d23e4b9effec47cff189d07
SHA5126765314054ad9bf2164058248f3d3a17775176925abbe4376aec030dca3a5e59be8b9e96139941fec2b2e1a9bff38f87abdb29ea09a299d8ab7e23ecec4083df
-
Filesize
1.5MB
MD5f3b25aeb5ac5d896463987274a72260e
SHA1a1daa03313199cd63a9a1a1c39566295fde5772e
SHA25644c58cd2f41b13d34621930cb04ed99c1d159a3b467f49314c71735e85d591be
SHA512d00b3d488b760b4bdbe2b2265ca8710bbc4e4b2091ffffaf7a528f341d3443fc00bb3bae79c108e791efc88a1625f24b7b85fe0e747c0a72387a29bc93355c7a