Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 18:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe
Resource
win7-20241023-en
windows7-x64
12 signatures
150 seconds
General
-
Target
e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe
-
Size
120KB
-
MD5
e2bbd596179582e40b8771379774f5e3
-
SHA1
b96832b1b0f934560be51bd252fc43896aebedfc
-
SHA256
6cd25463ac6d0b271bcca8e07e25e8907646f74a4ec6c533a44f65f92ddf1eb2
-
SHA512
cc0d9429dd8e95321d138a5d71423bbe95e494a10c32eff61e6fe1e7ba5f01a73239adb5884b690da5d6a9552be28f324e3c114c4ea0a26e43a9cef06db2d77c
-
SSDEEP
768:qQxkwifBsIqHpcrkMEYEhA7P4RhAtmaZFb79U9MKAjBEig6/1k21m3uHRdMNDj2Y:q8kwilTEhU4HDa1KkjWXUa21mc/Mue9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2772 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2464 e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe 2464 e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2464-3-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/memory/2772-15-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/memory/2772-49-0x0000000000400000-0x0000000000439000-memory.dmp upx behavioral1/memory/2772-559-0x0000000000400000-0x0000000000439000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SharedExpat.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\jnwdui.dll svchost.exe File opened for modification C:\Program Files\Windows NT\Accessories\WordpadFilter.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MsMpLics.dll svchost.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2iexp.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationProvider.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\awt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\libxml2.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\zip.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_mmx_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado15.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadce.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\Common Files\System\wab32.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\currency.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEOLEDB.DLL svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\ssv.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationProvider.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_description_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jawt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe 2724 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2772 WaterMark.exe Token: SeDebugPrivilege 2724 svchost.exe Token: SeDebugPrivilege 2772 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2464 wrote to memory of 2772 2464 e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe 30 PID 2464 wrote to memory of 2772 2464 e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe 30 PID 2464 wrote to memory of 2772 2464 e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe 30 PID 2464 wrote to memory of 2772 2464 e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe 30 PID 2772 wrote to memory of 1496 2772 WaterMark.exe 31 PID 2772 wrote to memory of 1496 2772 WaterMark.exe 31 PID 2772 wrote to memory of 1496 2772 WaterMark.exe 31 PID 2772 wrote to memory of 1496 2772 WaterMark.exe 31 PID 2772 wrote to memory of 1496 2772 WaterMark.exe 31 PID 2772 wrote to memory of 1496 2772 WaterMark.exe 31 PID 2772 wrote to memory of 1496 2772 WaterMark.exe 31 PID 2772 wrote to memory of 1496 2772 WaterMark.exe 31 PID 2772 wrote to memory of 1496 2772 WaterMark.exe 31 PID 2772 wrote to memory of 1496 2772 WaterMark.exe 31 PID 2772 wrote to memory of 2724 2772 WaterMark.exe 32 PID 2772 wrote to memory of 2724 2772 WaterMark.exe 32 PID 2772 wrote to memory of 2724 2772 WaterMark.exe 32 PID 2772 wrote to memory of 2724 2772 WaterMark.exe 32 PID 2772 wrote to memory of 2724 2772 WaterMark.exe 32 PID 2772 wrote to memory of 2724 2772 WaterMark.exe 32 PID 2772 wrote to memory of 2724 2772 WaterMark.exe 32 PID 2772 wrote to memory of 2724 2772 WaterMark.exe 32 PID 2772 wrote to memory of 2724 2772 WaterMark.exe 32 PID 2772 wrote to memory of 2724 2772 WaterMark.exe 32 PID 2724 wrote to memory of 256 2724 svchost.exe 1 PID 2724 wrote to memory of 256 2724 svchost.exe 1 PID 2724 wrote to memory of 256 2724 svchost.exe 1 PID 2724 wrote to memory of 256 2724 svchost.exe 1 PID 2724 wrote to memory of 256 2724 svchost.exe 1 PID 2724 wrote to memory of 336 2724 svchost.exe 2 PID 2724 wrote to memory of 336 2724 svchost.exe 2 PID 2724 wrote to memory of 336 2724 svchost.exe 2 PID 2724 wrote to memory of 336 2724 svchost.exe 2 PID 2724 wrote to memory of 336 2724 svchost.exe 2 PID 2724 wrote to memory of 384 2724 svchost.exe 3 PID 2724 wrote to memory of 384 2724 svchost.exe 3 PID 2724 wrote to memory of 384 2724 svchost.exe 3 PID 2724 wrote to memory of 384 2724 svchost.exe 3 PID 2724 wrote to memory of 384 2724 svchost.exe 3 PID 2724 wrote to memory of 396 2724 svchost.exe 4 PID 2724 wrote to memory of 396 2724 svchost.exe 4 PID 2724 wrote to memory of 396 2724 svchost.exe 4 PID 2724 wrote to memory of 396 2724 svchost.exe 4 PID 2724 wrote to memory of 396 2724 svchost.exe 4 PID 2724 wrote to memory of 432 2724 svchost.exe 5 PID 2724 wrote to memory of 432 2724 svchost.exe 5 PID 2724 wrote to memory of 432 2724 svchost.exe 5 PID 2724 wrote to memory of 432 2724 svchost.exe 5 PID 2724 wrote to memory of 432 2724 svchost.exe 5 PID 2724 wrote to memory of 476 2724 svchost.exe 6 PID 2724 wrote to memory of 476 2724 svchost.exe 6 PID 2724 wrote to memory of 476 2724 svchost.exe 6 PID 2724 wrote to memory of 476 2724 svchost.exe 6 PID 2724 wrote to memory of 476 2724 svchost.exe 6 PID 2724 wrote to memory of 492 2724 svchost.exe 7 PID 2724 wrote to memory of 492 2724 svchost.exe 7 PID 2724 wrote to memory of 492 2724 svchost.exe 7 PID 2724 wrote to memory of 492 2724 svchost.exe 7 PID 2724 wrote to memory of 492 2724 svchost.exe 7 PID 2724 wrote to memory of 500 2724 svchost.exe 8 PID 2724 wrote to memory of 500 2724 svchost.exe 8 PID 2724 wrote to memory of 500 2724 svchost.exe 8 PID 2724 wrote to memory of 500 2724 svchost.exe 8 PID 2724 wrote to memory of 500 2724 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:608
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1624
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:468
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:688
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:756
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1060
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:868
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:2188
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:292
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1108
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1120
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1184
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1084
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1920
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2152
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:396
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2bbd596179582e40b8771379774f5e3_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1496
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize254KB
MD5fce795f21fdb5c90c51b060e16ef07d8
SHA1f8e91532bf81d775a8ef5ac730cd2e0f5c86ef36
SHA256b49cda28926c912fca0c8405380155dfec9c4fe7ee1f698788ae297b83aaad18
SHA512408989cda0304e7ef456401cba4400ece3205045dca79d28b562bcc3671069d4744c22d53c8f4c112856e1046c20addbdb0dcc65cf2163d8a99bbf3198427487
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize250KB
MD5656ecc1be290717832538757cb5bfe8b
SHA19f2a7e7243763ef56ca8af7f0ff2ea5724491bca
SHA2568337001f9418f041fcaa7bf4aaaf9c1e1612fec8a468dc998d37f82a7c7f3e29
SHA512e20994af25d5dc8a2ffb85add2a3ab8fa96d3dc4bf7c4134266ed26ece7dba063d43cd2eddad46a10ffec1567ccf8e234e5ff525340b13e20fd5e9d310b77e7e
-
Filesize
120KB
MD5e2bbd596179582e40b8771379774f5e3
SHA1b96832b1b0f934560be51bd252fc43896aebedfc
SHA2566cd25463ac6d0b271bcca8e07e25e8907646f74a4ec6c533a44f65f92ddf1eb2
SHA512cc0d9429dd8e95321d138a5d71423bbe95e494a10c32eff61e6fe1e7ba5f01a73239adb5884b690da5d6a9552be28f324e3c114c4ea0a26e43a9cef06db2d77c