Analysis
-
max time kernel
129s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 00:38
Static task
static1
Behavioral task
behavioral1
Sample
9195e1c89017d1d0528d870e330db61e_JaffaCakes118.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9195e1c89017d1d0528d870e330db61e_JaffaCakes118.html
Resource
win10v2004-20241007-en
General
-
Target
9195e1c89017d1d0528d870e330db61e_JaffaCakes118.html
-
Size
156KB
-
MD5
9195e1c89017d1d0528d870e330db61e
-
SHA1
8a05f285eb0837097322613564be51d8557cf656
-
SHA256
eea351a088b64d3f8e14af479e2851434dfce6ddc284fdc2c3f3f978aa5ff5f2
-
SHA512
1f09298b9c5c213be07b53aa0b93a1817012532c3976ce70a097f3c9a1abd31d2d8810057cb80a381228e07a8abb3ff679c2f94cd16a4130a9e8ab8f727b1e9c
-
SSDEEP
3072:iZIpJBU8B8yfkMY+BES09JXAnyrZalI+YQ:iCe8BhsMYod+X3oI+YQ
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 2124 svchost.exe 352 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2548 IEXPLORE.EXE 2124 svchost.exe -
resource yara_rule behavioral1/files/0x00300000000187a2-430.dat upx behavioral1/memory/2124-434-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2124-437-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/352-446-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/352-450-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/352-448-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2124-444-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\pxDDC2.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75B6ED31-A9FC-11EF-A5D8-F2DF7204BD4F} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438570592" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 352 DesktopLayer.exe 352 DesktopLayer.exe 352 DesktopLayer.exe 352 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1564 iexplore.exe 1564 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1564 iexplore.exe 1564 iexplore.exe 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 1564 iexplore.exe 1564 iexplore.exe 1960 IEXPLORE.EXE 1960 IEXPLORE.EXE 1960 IEXPLORE.EXE 1960 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1564 wrote to memory of 2548 1564 iexplore.exe 29 PID 1564 wrote to memory of 2548 1564 iexplore.exe 29 PID 1564 wrote to memory of 2548 1564 iexplore.exe 29 PID 1564 wrote to memory of 2548 1564 iexplore.exe 29 PID 2548 wrote to memory of 2124 2548 IEXPLORE.EXE 33 PID 2548 wrote to memory of 2124 2548 IEXPLORE.EXE 33 PID 2548 wrote to memory of 2124 2548 IEXPLORE.EXE 33 PID 2548 wrote to memory of 2124 2548 IEXPLORE.EXE 33 PID 2124 wrote to memory of 352 2124 svchost.exe 34 PID 2124 wrote to memory of 352 2124 svchost.exe 34 PID 2124 wrote to memory of 352 2124 svchost.exe 34 PID 2124 wrote to memory of 352 2124 svchost.exe 34 PID 352 wrote to memory of 2512 352 DesktopLayer.exe 35 PID 352 wrote to memory of 2512 352 DesktopLayer.exe 35 PID 352 wrote to memory of 2512 352 DesktopLayer.exe 35 PID 352 wrote to memory of 2512 352 DesktopLayer.exe 35 PID 1564 wrote to memory of 1960 1564 iexplore.exe 36 PID 1564 wrote to memory of 1960 1564 iexplore.exe 36 PID 1564 wrote to memory of 1960 1564 iexplore.exe 36 PID 1564 wrote to memory of 1960 1564 iexplore.exe 36
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\9195e1c89017d1d0528d870e330db61e_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2512
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1564 CREDAT:472080 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59c1d35659775bdac73d7beca4c468544
SHA1a5ff530ca9d23d263694eb7c4d0bf662205d4d3b
SHA256e60e32df34dbaba2c55cdfa2f185b8e667b718db474ed3c9b06c495b2b8c1284
SHA5126ff69d1d4bfc9db42db4a7e26073e7d37fd61973bb5dc1b2a6874877c28748e541dc1bdb52c731fa90ee736c380d326d8de37f6ce82bfec07f73650e18473695
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bf3f9fa14c0851b9ef7b2f44122b82fe
SHA1fbb61e65e8df27787aa1fcc4214a34bb2abbaaff
SHA256409e91c126abe1a2b00f6937fd23549011fd43d2d0988f37aef0e80dec145a2f
SHA5120991b6b9c07708e6745926e5fe5b6433c0aaa2d48f57451b47a6a9400c2c65ce33f35386001852525cd7919114ca1d5389fcbc65070a313f5c08fe64272c0f35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a6aa4e31df3e4c84f7c58eff30a96505
SHA1413ba40f5e122256b4c7cc861cba6b8313ba8203
SHA256072cf34b597fa39efebdacb67f54ca8c04505847f84e0af5d7e584de2e6c5cc0
SHA512322b437c2e19c5ab7438ca11fea1983120dde059b0388e192a7c4d2ba057fd832953adcfc9912c0cae74f0379e7797e935e4bd59535b64ceead4636892090991
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ca97bcc2fc08252b66b372fdec99261
SHA15d7365e4ebce78c57a495dac775fad49fdac4b96
SHA256b8012e85e6705f52a3ed1e557e39d8017843fb13237907fbf4c1d7bbb8453373
SHA512fe3325e7c88d9ff92c170ee6f1414b10e3d2cd3ec2188fe0c25e27d71d48a1ad759a459d9e61162836c7c7d60df41af7e95ee302716c98ec79156a2323a12dc7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b160d68adf0c798bbc50100717b8062
SHA1e992cc33c226781624ed86a9845ee8b27d1d4427
SHA256bd0053c7a8d13e988cb7200581e91d958706d91fa904b93da1afb86cd473ccfd
SHA51278e80937857e1016aace2b700b24f4acd9d6500e626543101a7dd7b18b3b574ad6f689f71820cc2a0a124b77874bf8d662dc9ff18978768930949f005941a5b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0601625354b3cf1fff9cc2f3a9e249d
SHA14e0e911e5f3f8e262ec6d110be38716b0d0f7828
SHA2563577b3a680474ac71fc1b89fe2169fae9ef319fdd92c40636e632441a8e129c7
SHA5125d790628fac32554519c3b7cf7c6bd2561986e591c0e257a8b281fdee908caa087cf6a46825e28e73bf75a3a8d1a51efcc18d3f4ab548fae5cf4c96f6c4a8edf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD513fce79c9216383a8f0cc9a4a8b185aa
SHA1752d96b86b618301bb5e141a7205823dab0d0087
SHA256ee503a18175d92ea7a74bbbc477fefa97e2fcb4db00f7c59fb1fa8de8fab84ac
SHA51226f111016c8b361b6e2854c44f99d4b617034613221e35f7b520a07591ea491a5ce83fb59cb87d1368207348ebbaea72fafc58393db28a7b032e81744274d6dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57f5f8104fdf9edc4fb656ddac0959371
SHA1efea10593f5ae069a04011938218ea612ecc4bd9
SHA256accab62e8154ed59eab29bcbccb72c1deac92fe3b0a00e35632be8208e097528
SHA51245efb0d91deee889b60a59a2500291e3f81f2227f13f417fb66223db59dc73c345c4b0abe1d88a525138f4542406bcdf715ff3bf8338d18a9a329d7ef5f564c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51da392c23791af2655fa5a74cf7f7fd3
SHA168f64869e52f1157804a7b267db292ddee5ffb87
SHA256225e055ad0434e9d1ffb3f6b502c8e37efb33f2e94371b55fcb2511fd95f7feb
SHA51228b9f7df8a50c55e58f09138f8139e22d9baa5930b905ee37a1fd1a07e22219640a2313647d3418ef120b57538bfebdc2ca7b09f7c0192372d265894a5872c30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5abbcbac0b0f83b4e2394feda4bd4c0ba
SHA127122db29c556c64a585996496f6d3b8f0b4ed32
SHA2569523caa467a4aba7be3e8edda2ac4e13e6a8bce948fadce8930f4d0e90bd8ade
SHA512372313523fee51d1698a56568a96869807735c1d4839037906f7c884150a3f7b82aae656a4d345f3f3809bb1acb4ca851a6185b69a72bdc2270dcce9ec781e94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56a4e5a5ae3f38fc3180de5343a34e31a
SHA101a074ee1b0318ded7d8488fffebcb16e6a5cc9c
SHA2560310ace4b9d7ba4621259c9b1330e3fae0976cc87e4398150eb5a054b1dc0a8d
SHA5125e319b56da45964d82eacde548b63d21a711a34f61e4a8d9dc7eed7bbd142b602bc4cf526bc8f4a1a926f69aecadfe8b3790eff2ad2aa4edd112d1be48ff2d2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD555869814dfafd95d60297a7d6042318d
SHA19a8f58ca94197013e73ca9250358bf50eed90146
SHA25669e3c66d2838127704b667ef16b509c84891544a0ff68b0be291f9fe54de487c
SHA512dff15853abc11c75a310685e3b4e640cc2a9e2c14bd89ba44bd2746f311e2277c479834331a945106152fe3d5441527c98ff51fc999629483049d6181ae0d2c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c1f6c64ae7afa696b60ae66cfd454f0b
SHA18b8c40e0f6c79593e1da64b822fe045945244a64
SHA256dedc57768b9420e38a52756dfb08f85a0bec014352b18ad739495e7a608d6b81
SHA5125de20137e48f8191b59abe69b19b01394b608c0fab64ef55fa94e879a3795d3de9c7e2fc27753823739651a5b0c7e2849db0762224eded35990e80d4ca020b9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aeffc7e3c00b06e4bec40a0f8e161771
SHA15a1969c232c01aa0307f589bdd3b2598eb76510b
SHA2565882602a350d34005002788e511415a949719dd7e6e1fff12e07658622f88109
SHA51201971d0b5d1a42206f4a01b48017fcdcfbcf61419a0080f954f6d6335213b5f220946294979e23ef4812f475534b72165e2f349f8c0e05553e54f92b902f3480
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ce2c6f0cec66399928fa3fb329549c8
SHA14193e235e98667895fb51ee6ebcf1117a76038e8
SHA25698b7ef260b2d9dfcba03a99a9f7030f49bc4ff08b5a1c1f2a57ae2431bdcd426
SHA5124e13d60a1d3f460abebb492009f880726545fcc22197b9a92923237592070982052278e0dc4774eda74d5e502d82641ed27d3b88b76577a765aa07e632ba14f4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a