Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 21:09
Static task
static1
Behavioral task
behavioral1
Sample
9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe
-
Size
808KB
-
MD5
9de9363c50721f3c8eae5a2725f51690
-
SHA1
f1eb284765f36d9d7c498e43d2403c3af2b2ab6f
-
SHA256
332773c3fd474628c8712985b6dcdf8e7e38f478570ac87665410023e60863a4
-
SHA512
a36962d9e16873d108a79eaee1e1bfd5dceb2fab54f61a1dae5d859625d0b3bb5a80041c7cbebb90ad1c61f6d7efe90c7d698ab4d17353d68637b54090e85d4a
-
SSDEEP
12288:cXJYagld8WUxFkyekJfC+R3D5g4OYo4VsJdq3vbFPXswlXV/4JUu8KbEYUDDKvm8:2YFkJqOG4xBxVS
Malware Config
Extracted
cybergate
v1.07.5
Cyber
stopscammingidiot.no-ip.biz:100
G16V88J605XN2M
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
Svchost.exe
-
install_dir
system32
-
install_file
Svchost.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
123456
-
regkey_hkcu
HKCU
-
regkey_hklm
HKLM
Signatures
-
Cybergate family
-
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\Svchost.exe" 32.exe Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\system32\\Svchost.exe" 32.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028} 32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028}\StubPath = "C:\\Windows\\system32\\system32\\Svchost.exe Restart" 32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6WXVCM1E-AV5K-V4MX-7547-SIU6F38IB028}\StubPath = "C:\\Windows\\system32\\system32\\Svchost.exe" explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 32.exe -
Executes dropped EXE 2 IoCs
pid Process 1116 32.exe 1576 Svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 4272 32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\system32\\Svchost.exe" 32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\system32\\Svchost.exe" 32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\system32\Svchost.exe 32.exe File opened for modification C:\Windows\SysWOW64\system32\Svchost.exe 32.exe File opened for modification C:\Windows\SysWOW64\system32\Svchost.exe 32.exe File opened for modification C:\Windows\SysWOW64\system32\ 32.exe -
resource yara_rule behavioral2/memory/1116-12-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/1116-14-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/1116-71-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4820-76-0x0000000010480000-0x00000000104E5000-memory.dmp upx behavioral2/memory/4820-169-0x0000000010480000-0x00000000104E5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1232 1576 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1116 32.exe 1116 32.exe 1116 32.exe 1116 32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4272 32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 4820 explorer.exe Token: SeRestorePrivilege 4820 explorer.exe Token: SeBackupPrivilege 4272 32.exe Token: SeRestorePrivilege 4272 32.exe Token: SeDebugPrivilege 4272 32.exe Token: SeDebugPrivilege 4272 32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1116 32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 1116 2384 9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe 84 PID 2384 wrote to memory of 1116 2384 9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe 84 PID 2384 wrote to memory of 1116 2384 9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe 84 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56 PID 1116 wrote to memory of 3376 1116 32.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9de9363c50721f3c8eae5a2725f51690_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\32.exeC:\Users\Admin\AppData\Local\Temp\32.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4820
-
-
C:\Users\Admin\AppData\Local\Temp\32.exe"C:\Users\Admin\AppData\Local\Temp\32.exe"4⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4272 -
C:\Windows\SysWOW64\system32\Svchost.exe"C:\Windows\system32\system32\Svchost.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 5726⤵
- Program crash
PID:1232
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1576 -ip 15761⤵PID:2104
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
MD56afb13c14bf63d663dbe88d7f1fe0130
SHA15e707443dc8dfc126f443fa405af457913dec921
SHA256cd5d45fba6c736217301dae95df68b0842223b2781dc4b8aa2c8135903e538c2
SHA512e8d4adb40dcc6291c5eec5af649ac1f3b1c38faa398d8e76617c5bcc29cb2f449554ade6c6daf1f35505ada83c86d9fb473e5899d8bccb814aaa1e931fed2bf3
-
Filesize
224KB
MD5c11150ac20ce95af575121eeb5355a28
SHA179efb53fe9c2a7f6ff093c924e11e75d5d4a3573
SHA2562b711fc8b7e018da61160c9461bc84b30eb5fb5a98a5317b29698eeaa8eb99f2
SHA512fab2313298b468299493d32296c569f2921f39d2daf538d426138a9dc579d878879bb47ee38d8f9ffa1119591eb9339aae9623d6ea8403d21ffdfcc730a4b21b
-
Filesize
8B
MD5c966b989cd131163e61774e0ed35ddef
SHA14d92426b2d63bb02bf7894650d3ec45bacaca0f0
SHA256ec1d730fc2a2907e01dfad0ff29d56051f3b8033e889c559fc8a37712048c4d6
SHA5129f4aa63ac040f4f10ab6eb892e8f38f33b81ce577f8f39876f450fc4b711a1acfc9facde9849368f587ec7b1935d8bb84b6a99eed0b1cfcc89a044b5754b4ed0
-
Filesize
8B
MD51749b0fb544cf35f01cc906f57305e43
SHA180b51bca3bf25b5131f113ea118d6bd59d856b5f
SHA256831ed201d443cf194df84c95b334334bb5b9f9ee41b0bc16771f7962f11c3ed7
SHA5127d9961d6f31ad39bca4c02e85e8bb06d32f46e446c40e3fc7e6569634014a96e36ac6e77d05a88a02ad9a897714041fa2846f38a437565f38e69b3d8481a68be
-
Filesize
8B
MD5a4cbe8d803912c6762a498462121087a
SHA12ad075983a0aeb004e4724b88771e2a06edf2bbb
SHA256a2ed7be0bb68eb79ee24fd90fd4ba16390fd3c36a05b71523dc766f6f4abe623
SHA5120205cc559d2a8c24d83fca158a70c51efd79f89e74f11e5bdffb4fb8f2ead40cef1fe4e0294ee6723c55c43ddf836f40130898ea3609c2d25d8d93173f82677a
-
Filesize
8B
MD55887ed0851fe17fc9139b899b2f525fc
SHA1dc8c8a1eb720ecb6f65a6915777aaab9604c33e4
SHA256431860144cbce2327b5f3da9b06e4892324d4d45b01c2a1df2b03388995a639d
SHA5124141a984600526f13995157341983c6cd3c183ea73c24453d8b7d312ff8da3822fa69ad828ae61c597c3654fe3774cc5a2ae5fe7a30e9e7f4b51ad6803294163
-
Filesize
8B
MD528fd72164a35a52d0dbad872a6a0e24d
SHA197b7b346c2faff4266111c39fa1537a5f5fbdeb1
SHA2568cc63028cefe060ea12ecc0cb03647a1bc54335b008c031c7a71f347756792f3
SHA512ab072f79708a8eb66140a01efd47e0b0a9ffef5ed5c777ea7753643afc9bea4977979d061376e435ded3c7536775c1339ea9a4e7dc2a5f28ce53d5332c02ce61
-
Filesize
8B
MD5c275d2f4e6fd7d1e3efae7d177beabdb
SHA1f7841e53e6c56b557b5a4008f95fde51a3bb89b6
SHA2566cd17a5c6d8d136400334f387220cd49ced0ff8ceeda230f960267c6402cdec2
SHA5124dc6fc52edc3b26432b63c167d894bd1a4d8d6595198788a157b9d4a7333787c39ef1d4ecc30cf9cb979b157815eb4f508076e3b67a66d6a00a938e89339eb3d
-
Filesize
8B
MD5c5cd3545e6667783eb8266dd68b8b7c5
SHA19c98f8069e446901ccfcb1e99af9d2222f94ac49
SHA25619cbc16a5a6095d0729f0c30d7e115526760d6f669865044f9d70a5784ade38f
SHA5127ba1b622046b6f8d21cc819c9ea6fd642e53e48db7044e99dc1c2651419dfee6714c593275de87a1e28fac760feb979beae24654d29d13ea99af5aebbd841a2f
-
Filesize
8B
MD53ca22cd52370e3c8d15eab0793d79b05
SHA10fa1f05f7b45c61a83f0ac8d2e46a812bb7e3318
SHA256d9bfbcfe6258c66fa14921e1aee86c5b4bb09a09e712ac7fac2694dd617caedb
SHA512750aa2abf02293ede06b830c4c99b7968331759b77c086187067f9135a92d53e5fc033b85b7a3d4ad8463e15eb0cddae9a10ed67969e81f8a6fabe60c4f76473
-
Filesize
8B
MD5fcdb6b5fbbea1644891afa1b7edd248d
SHA1d068146aa72fdcf9b1fa3b374625719c8c2e67ce
SHA2564cf92f1a54974b341520f0fc7c1f81e5dec43e4330fcea3cc5759e7238a73f87
SHA512e282ece3a0333d084c096eae61aa81f1fd771a35bd12910480ccd93cb9799764c84c54924c34f54c213f362568fd95396a2279418d0d9824ab29b320ecd99f90
-
Filesize
8B
MD559fcb7745281efd707a2da6d4db3009c
SHA11befb081b3853fbab5861b1ff9621d45cdfa078a
SHA256e93fc480581d3c85543f0739668a048efa23ef7ddcaabdfab7575817f87614ba
SHA51275f6e7403300021e89acf9188b04d97fb93fa203b20bfdc020d6ed60b86955ab95beec74147e3538df79afd2caeb04fc9bdcdff7fc5c66b7cceba6567f624c25
-
Filesize
8B
MD55615143300b1189c3ee413900d5bb24d
SHA171b162367172b7da1244f0991900a08c80f7b50e
SHA2562e117ff3a82ad5c82412eb01efd0dc3182ddfacfea1a12b0a32dd38981946d3f
SHA512d2fce2a2834f23c854af7dbfc7b22861cc7f90397ef9378d8c86e05260fe39ac9503cddaa5a2d54557591e0d9281de11dad38df0044b5437c612080b7965001d
-
Filesize
8B
MD506edfd6334852a215841c6668fd91bf2
SHA12e5a73933c739ae25d5440d76ad77f3d44501f91
SHA2565a90b6298ce6e90e3cdecaa5ad465708331d6003dda8185dddb59b889d064d4d
SHA512eeeda7510fef3b8149aaf10a2c06520b0f239866ec05abe67c64c5d66657ffa7a073773daa3da1fcc7d4bae33927093561b07337243b03b6fc0f15cce3efc037
-
Filesize
8B
MD53b0f17ab4fdc4611cfb4defd78ca6ad2
SHA18d223493fc8abf48eb954b2f1234d5afd5b1df03
SHA25665950d44f291328bc85bad08be9e0d637a4970a6a7db22966d37007701f8628a
SHA5125f0ff45d2821674a5028295d7013a96f892eb22b012defc3f1d1105f73421a307fa5c55ecda3febfc2e7d21870d237c2e5d50e8c6b182c17959a15ebaad11c25
-
Filesize
8B
MD512557128031a99221bcb44247e447035
SHA16a11161a7504ec1baeab212be34617e45ad4d793
SHA256bb8c37d4676f848a38ccec79d216bdbd142282f8d9d7b432882b731ee09ce7bc
SHA5123e5985a4a5389d00c0f6486c2bb6540381ab10620e0ab0ec101b51f4ae7ceb1bb0bc69ed5f3bf1212a52cb52d8465870fb7876e8c1d029a93d5ab8db32d0aac9
-
Filesize
8B
MD5218489f938082050e13e53024f6dc93c
SHA1624b122c248758fe4b884caa0b825e41cbc216c5
SHA25696e6d7eb6add65ac3e3d4c004068f3f3ed46e90f66402dae2d62d8cb6d3dda0a
SHA5123aa11ef1a5c09ef1310b23eef1c51c829909412914a175c3bab28fe3983e7f9f2024c614759c3cf486a52a3b9104c978e54702693123e08f2d27163938553fa5
-
Filesize
8B
MD59e1b4e2d27d7b3e188a8e7edb79d889a
SHA1aefd3014c91b19bde8b0d6b6e62abe14526e0839
SHA256b4e0c61d9b1e321344c7c1b0d148d4a0000d4410d41a1723fcae515c6a4f1859
SHA51269fbdfbdfdfe0ce2224b18935c4c9ffa3cd90bc5da1aeccdc53d33bca0f681f2384a887b0b9a53e4ea62f21414031fda1576b6e2aa5cc494c180faf402204493
-
Filesize
8B
MD504b05bc52b2ca0313bab88fb61da6fde
SHA1faa32f8c3690fd59e7334b4b7b694d1d870acfdc
SHA256f06da408e59bf8658ab2b128dc86e218bb6aa19ea78051eab5da052480cd2159
SHA512fc70a9832a36808d49b09ca53332722af34f96d0bc41659eff70d5156d404001af43566f44ea9c33cf40d93be333273eaf873914d3e1536bc7732383d4edb8a3
-
Filesize
8B
MD550de4cab1083d5cf8cd706e5f1b0ff4c
SHA1895795066c2205e315a3b1712c4c4c69915a9111
SHA256a8951e7d9c9b7cd79cfe71106349355cae7ef582945d8e93c1cb91c8e2d55ea2
SHA51271a1d9c6d36ed7c464744133455c41067dd99da185586ea8cd9ef0ec32a624f7c33d7faeccbfedea2f7d365b5d117d8e42200f81220d601715f12e5f1dcc4500
-
Filesize
15B
MD5bf3dba41023802cf6d3f8c5fd683a0c7
SHA1466530987a347b68ef28faad238d7b50db8656a5
SHA2564a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d
SHA512fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314