Overview
overview
10Static
static
3Lang/lang-1049.dll
windows7-x64
1Lang/lang-1049.dll
windows10-2004-x64
1Lang/lang-1058.dll
windows7-x64
1Lang/lang-1058.dll
windows10-2004-x64
1avcodec-58.dll
windows7-x64
1avcodec-58.dll
windows10-2004-x64
1installer_....9.exe
windows7-x64
10installer_....9.exe
windows10-2004-x64
10opengl32sw.dll
windows7-x64
1opengl32sw.dll
windows10-2004-x64
1vcruntime140.dll
windows7-x64
1vcruntime140.dll
windows10-2004-x64
1winrar-x64.exe
windows7-x64
5winrar-x64.exe
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-01-2025 21:54
Static task
static1
Behavioral task
behavioral1
Sample
Lang/lang-1049.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral2
Sample
Lang/lang-1049.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Lang/lang-1058.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
Lang/lang-1058.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
avcodec-58.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
avcodec-58.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
installer_1.05_36.9.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
installer_1.05_36.9.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
opengl32sw.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
opengl32sw.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
vcruntime140.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral12
Sample
vcruntime140.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
winrar-x64.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
winrar-x64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
winrar-x64.exe
-
Size
3.6MB
-
MD5
517023aad9ad2f3200057ce0b704e196
-
SHA1
7612058b5f0f87327b2957d5da63a2c6e65b0ea1
-
SHA256
de1d9040786c80f3f40f41c98aa1f6b14fc7b6f2d3db09eceadd340327164f8e
-
SHA512
bef1b7268d8c2c1f6c900fe392ecf11d2cd518dfa9944fb77c29c2306d20d89052a39c45d689054173ce866be1e93d4b3097131a120cd7567092527e1f50b3e1
-
SSDEEP
98304:vABAG9dn8V6e3yfnjvg6Tuq1LA28xv12m2ERCHo:va9dXh6q1Lf8xv5tCI
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 60 IoCs
description ioc Process File created C:\Program Files\WinRAR\Rar.txt winrar-x64.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64.exe File opened for modification C:\Program Files\WinRAR\WinCon32.SFX winrar-x64.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\Default32.SFX winrar-x64.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64.exe File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259439693 winrar-x64.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64.exe File created C:\Program Files\WinRAR\License.txt winrar-x64.exe File opened for modification C:\Program Files\WinRAR winrar-x64.exe File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64.exe File created C:\Program Files\WinRAR\Default32.SFX winrar-x64.exe File created C:\Program Files\WinRAR\WinCon32.SFX winrar-x64.exe File created C:\Program Files\WinRAR\Zip32.SFX winrar-x64.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64.exe File opened for modification C:\Program Files\WinRAR\Zip32.SFX winrar-x64.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64.exe -
Executes dropped EXE 1 IoCs
pid Process 2652 uninstall.exe -
Loads dropped DLL 7 IoCs
pid Process 2400 winrar-x64.exe 1216 Process not Found 2652 uninstall.exe 2652 uninstall.exe 2652 uninstall.exe 1216 Process not Found 1216 Process not Found -
Modifies system executable filetype association 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main winrar-x64.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zst uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uue uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cab uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7z uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rar uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txz uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rev uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tzst uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2400 winrar-x64.exe 2400 winrar-x64.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2652 2400 winrar-x64.exe 28 PID 2400 wrote to memory of 2652 2400 winrar-x64.exe 28 PID 2400 wrote to memory of 2652 2400 winrar-x64.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64.exe"C:\Users\Admin\AppData\Local\Temp\winrar-x64.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD52132aceded754d35ab911823a9b41cb4
SHA1e1f549ae718257f55b61bedfd0e7b9c06dc3f533
SHA2566805c8b3fa7d4f19dbd2439e2cdbf2cf7c6e538484d800266798575a58571b70
SHA512464142af80cd292f2558af5d1d133b27df611999322772bc4e442eb4f7bb6b7b3e7fa8dd26cc050abcbcc6d205e4298f81ea948bbe1ca12c3e126cc960cf3478
-
Filesize
383KB
MD533cecf93517f305d54609584a7d9e6bc
SHA15d816ed1ec543865646b78361b6f14fb0dafe33e
SHA256288ec8500f2661a42ac531d5d7a9dc3d11d77885b3dc63ef2d3a7b75a210b5d1
SHA512319ed031867f64c9312d8263ff5cdbd7e4c3ff77573224a4963b6ed5a1eac6ce52e607812742895ab996fb0d216daee34b00841b92f0bf6a5d56ff7efbe8a91c
-
Filesize
50KB
MD535bd214434c43c5d02b2be9d59a6a496
SHA18751490f7159ccce1a37b337824b35378c7ede63
SHA2563458c5f059146fd519e95b01397bc063c02c618b962d1ea1034989983f4d6317
SHA512565fe00206b80fe9ff59a89e9f7b373e93454eb2a1e80b9a02e75a6575f04915d359f54654e172bdcf0351544b1c02f87dc6e2f1e69a0d769866aeade2630086
-
Filesize
323KB
MD553ad0a4d91e4382adfbb7a32586b0268
SHA1d66cf7e028ef6c7b4361cd58bd6ce73bc62557aa
SHA256af036a8fc3d84838ad5dab142a5f4dd6e939a083d1af9371af3ef3ae5428fd31
SHA512352bb33a00d19f0310d31cfc26f66cfdb4bcdb24127f28384e1eaf9ac0b02a06d403a86e519894054e42bd6a9167536b1cff77ea27c6cced275860021e0ba943
-
Filesize
3.2MB
MD5d0b13a4155900291fffc4199d7a00173
SHA1e238bc74de42670c3bbe9d0d317d07647d9389d0
SHA25672a2899a23ee78bc8059ecbf81cfdc1003a401e460ece5bbf54a47a3cd392b8c
SHA51241973232528fc09407aba3000fb433c7f9855b63ee83f4a20faf9bfb7554e2f0cf894f9350b7531d620bca67856728c6e39c7ad4b2bff2b0357d14991e3e448e