Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 04:14
Behavioral task
behavioral1
Sample
bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe
-
Size
298KB
-
MD5
bba9bc42e2c616f5fe42a83dc440b3ae
-
SHA1
29bd2e241961e4a3470776bececa728974b5f142
-
SHA256
b2c9088dc6b52cc189efc5c4898b5d0b17673542b962c2a5e5313aae22adff45
-
SHA512
e8be963396ab0baea74440b27f88d9d62586a7ac761639f6d71477a7d1d5264197003f7b2be8dc3cdc6100d656097f4ba92853b8f75e9a53b146ca82282de41d
-
SSDEEP
6144:F1161OH3pmoqSDcP56APtw8OZikb/WLbbcu8csOKDCokuFnQJNpT6XgW:FJASIP5NPtw8O1b/WLbbfijOokuFJXz
Malware Config
Extracted
darkcomet
slave 7
zapto666.zapto.org:111
sildelanoe2.zapto.org:111
DC_MUTEX-AABY2SY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
dBJTCCgZ3jHq
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
MicroUpdate
Extracted
latentbot
sildelanoe2.zapto.org
Signatures
-
Darkcomet family
-
Latentbot family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
Processes:
notepad.exepid Process 2452 notepad.exe -
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid Process 2864 msdcsc.exe 2784 msdcsc.exe -
Loads dropped DLL 3 IoCs
Processes:
bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exemsdcsc.exepid Process 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 2864 msdcsc.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exemsdcsc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid Process procid_target PID 2864 set thread context of 2784 2864 msdcsc.exe 36 -
Processes:
resource yara_rule behavioral1/memory/2528-0-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2664-5-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2664-8-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2528-14-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2664-11-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2664-15-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2664-16-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2664-17-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2664-18-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2664-19-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/files/0x0008000000017481-39.dat upx behavioral1/memory/2864-49-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2664-45-0x0000000003DB0000-0x0000000003E06000-memory.dmp upx behavioral1/memory/2864-66-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral1/memory/2784-61-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2784-67-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2784-68-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2784-69-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2664-112-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2784-115-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
attrib.exemsdcsc.exemsdcsc.exenotepad.exebba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exebba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exenotepad.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid Process 2784 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exemsdcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeSecurityPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeSystemtimePrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeBackupPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeRestorePrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeShutdownPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeDebugPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeUndockPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeManageVolumePrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeImpersonatePrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: 33 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: 34 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: 35 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2784 msdcsc.exe Token: SeSecurityPrivilege 2784 msdcsc.exe Token: SeTakeOwnershipPrivilege 2784 msdcsc.exe Token: SeLoadDriverPrivilege 2784 msdcsc.exe Token: SeSystemProfilePrivilege 2784 msdcsc.exe Token: SeSystemtimePrivilege 2784 msdcsc.exe Token: SeProfSingleProcessPrivilege 2784 msdcsc.exe Token: SeIncBasePriorityPrivilege 2784 msdcsc.exe Token: SeCreatePagefilePrivilege 2784 msdcsc.exe Token: SeBackupPrivilege 2784 msdcsc.exe Token: SeRestorePrivilege 2784 msdcsc.exe Token: SeShutdownPrivilege 2784 msdcsc.exe Token: SeDebugPrivilege 2784 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2784 msdcsc.exe Token: SeChangeNotifyPrivilege 2784 msdcsc.exe Token: SeRemoteShutdownPrivilege 2784 msdcsc.exe Token: SeUndockPrivilege 2784 msdcsc.exe Token: SeManageVolumePrivilege 2784 msdcsc.exe Token: SeImpersonatePrivilege 2784 msdcsc.exe Token: SeCreateGlobalPrivilege 2784 msdcsc.exe Token: 33 2784 msdcsc.exe Token: 34 2784 msdcsc.exe Token: 35 2784 msdcsc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exemsdcsc.exepid Process 2528 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 2864 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exebba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.execmd.exemsdcsc.exemsdcsc.exedescription pid Process procid_target PID 2528 wrote to memory of 2664 2528 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2664 2528 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2664 2528 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2664 2528 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2664 2528 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2664 2528 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2664 2528 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 30 PID 2528 wrote to memory of 2664 2528 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 30 PID 2664 wrote to memory of 2184 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 31 PID 2664 wrote to memory of 2184 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 31 PID 2664 wrote to memory of 2184 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 31 PID 2664 wrote to memory of 2184 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 31 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2664 wrote to memory of 2452 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 32 PID 2184 wrote to memory of 2876 2184 cmd.exe 34 PID 2184 wrote to memory of 2876 2184 cmd.exe 34 PID 2184 wrote to memory of 2876 2184 cmd.exe 34 PID 2184 wrote to memory of 2876 2184 cmd.exe 34 PID 2664 wrote to memory of 2864 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 35 PID 2664 wrote to memory of 2864 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 35 PID 2664 wrote to memory of 2864 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 35 PID 2664 wrote to memory of 2864 2664 bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe 35 PID 2864 wrote to memory of 2784 2864 msdcsc.exe 36 PID 2864 wrote to memory of 2784 2864 msdcsc.exe 36 PID 2864 wrote to memory of 2784 2864 msdcsc.exe 36 PID 2864 wrote to memory of 2784 2864 msdcsc.exe 36 PID 2864 wrote to memory of 2784 2864 msdcsc.exe 36 PID 2864 wrote to memory of 2784 2864 msdcsc.exe 36 PID 2864 wrote to memory of 2784 2864 msdcsc.exe 36 PID 2864 wrote to memory of 2784 2864 msdcsc.exe 36 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 PID 2784 wrote to memory of 2648 2784 msdcsc.exe 37 -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\bba9bc42e2c616f5fe42a83dc440b3ae_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2876
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2452
-
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
PID:2648
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
298KB
MD5bba9bc42e2c616f5fe42a83dc440b3ae
SHA129bd2e241961e4a3470776bececa728974b5f142
SHA256b2c9088dc6b52cc189efc5c4898b5d0b17673542b962c2a5e5313aae22adff45
SHA512e8be963396ab0baea74440b27f88d9d62586a7ac761639f6d71477a7d1d5264197003f7b2be8dc3cdc6100d656097f4ba92853b8f75e9a53b146ca82282de41d