Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-01-2025 21:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_827810045474c584f000c7c121ac76f4.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
General
-
Target
JaffaCakes118_827810045474c584f000c7c121ac76f4.exe
-
Size
95KB
-
MD5
827810045474c584f000c7c121ac76f4
-
SHA1
ca0439b44f0b124d3514806af0de945873a5101f
-
SHA256
1a2a7c809c05805f7b5b02c4856415f8c350659b58e69a7bf178ff3fc4651eee
-
SHA512
fdd2af88aa2ef8596977beef2e9e11a64e48ee7e62a1a5b0e064b59689cebac5a38033d6455d071ec2aab1c1c08520cf6d4687bb443a33d794ef442a7daa9473
-
SSDEEP
768:R06R0UrgnKqGR7//GPc0LOBhvBrHks3IiyhDYQbGmxlNaM+WGa1wuxnzgOYw9ICW:3R0jn3Pc0LCH9MtbvabUDzJYWu3B
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Ramnit family
-
Executes dropped EXE 1 IoCs
pid Process 2836 WaterMark.exe -
Loads dropped DLL 2 IoCs
pid Process 2620 JaffaCakes118_827810045474c584f000c7c121ac76f4.exe 2620 JaffaCakes118_827810045474c584f000c7c121ac76f4.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2620-3-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-7-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-8-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-6-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-2-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-1-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2620-0-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2836-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2836-29-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2836-75-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2836-599-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\wab32.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\server\jvm.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnoseek_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFramework.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\rtscom.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\splashscreen.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL svchost.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSLoc.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libmmdevice_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxslt.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\NPAUTHZ.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe svchost.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Defender\MpRTP.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Net.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_827810045474c584f000c7c121ac76f4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2836 WaterMark.exe 2836 WaterMark.exe 2836 WaterMark.exe 2836 WaterMark.exe 2836 WaterMark.exe 2836 WaterMark.exe 2836 WaterMark.exe 2836 WaterMark.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe 752 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2836 WaterMark.exe Token: SeDebugPrivilege 752 svchost.exe Token: SeDebugPrivilege 2836 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2620 JaffaCakes118_827810045474c584f000c7c121ac76f4.exe 2836 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2620 wrote to memory of 2836 2620 JaffaCakes118_827810045474c584f000c7c121ac76f4.exe 30 PID 2620 wrote to memory of 2836 2620 JaffaCakes118_827810045474c584f000c7c121ac76f4.exe 30 PID 2620 wrote to memory of 2836 2620 JaffaCakes118_827810045474c584f000c7c121ac76f4.exe 30 PID 2620 wrote to memory of 2836 2620 JaffaCakes118_827810045474c584f000c7c121ac76f4.exe 30 PID 2836 wrote to memory of 2312 2836 WaterMark.exe 31 PID 2836 wrote to memory of 2312 2836 WaterMark.exe 31 PID 2836 wrote to memory of 2312 2836 WaterMark.exe 31 PID 2836 wrote to memory of 2312 2836 WaterMark.exe 31 PID 2836 wrote to memory of 2312 2836 WaterMark.exe 31 PID 2836 wrote to memory of 2312 2836 WaterMark.exe 31 PID 2836 wrote to memory of 2312 2836 WaterMark.exe 31 PID 2836 wrote to memory of 2312 2836 WaterMark.exe 31 PID 2836 wrote to memory of 2312 2836 WaterMark.exe 31 PID 2836 wrote to memory of 2312 2836 WaterMark.exe 31 PID 2836 wrote to memory of 752 2836 WaterMark.exe 32 PID 2836 wrote to memory of 752 2836 WaterMark.exe 32 PID 2836 wrote to memory of 752 2836 WaterMark.exe 32 PID 2836 wrote to memory of 752 2836 WaterMark.exe 32 PID 2836 wrote to memory of 752 2836 WaterMark.exe 32 PID 2836 wrote to memory of 752 2836 WaterMark.exe 32 PID 2836 wrote to memory of 752 2836 WaterMark.exe 32 PID 2836 wrote to memory of 752 2836 WaterMark.exe 32 PID 2836 wrote to memory of 752 2836 WaterMark.exe 32 PID 2836 wrote to memory of 752 2836 WaterMark.exe 32 PID 752 wrote to memory of 256 752 svchost.exe 1 PID 752 wrote to memory of 256 752 svchost.exe 1 PID 752 wrote to memory of 256 752 svchost.exe 1 PID 752 wrote to memory of 256 752 svchost.exe 1 PID 752 wrote to memory of 256 752 svchost.exe 1 PID 752 wrote to memory of 332 752 svchost.exe 2 PID 752 wrote to memory of 332 752 svchost.exe 2 PID 752 wrote to memory of 332 752 svchost.exe 2 PID 752 wrote to memory of 332 752 svchost.exe 2 PID 752 wrote to memory of 332 752 svchost.exe 2 PID 752 wrote to memory of 380 752 svchost.exe 3 PID 752 wrote to memory of 380 752 svchost.exe 3 PID 752 wrote to memory of 380 752 svchost.exe 3 PID 752 wrote to memory of 380 752 svchost.exe 3 PID 752 wrote to memory of 380 752 svchost.exe 3 PID 752 wrote to memory of 388 752 svchost.exe 4 PID 752 wrote to memory of 388 752 svchost.exe 4 PID 752 wrote to memory of 388 752 svchost.exe 4 PID 752 wrote to memory of 388 752 svchost.exe 4 PID 752 wrote to memory of 388 752 svchost.exe 4 PID 752 wrote to memory of 428 752 svchost.exe 5 PID 752 wrote to memory of 428 752 svchost.exe 5 PID 752 wrote to memory of 428 752 svchost.exe 5 PID 752 wrote to memory of 428 752 svchost.exe 5 PID 752 wrote to memory of 428 752 svchost.exe 5 PID 752 wrote to memory of 472 752 svchost.exe 6 PID 752 wrote to memory of 472 752 svchost.exe 6 PID 752 wrote to memory of 472 752 svchost.exe 6 PID 752 wrote to memory of 472 752 svchost.exe 6 PID 752 wrote to memory of 472 752 svchost.exe 6 PID 752 wrote to memory of 488 752 svchost.exe 7 PID 752 wrote to memory of 488 752 svchost.exe 7 PID 752 wrote to memory of 488 752 svchost.exe 7 PID 752 wrote to memory of 488 752 svchost.exe 7 PID 752 wrote to memory of 488 752 svchost.exe 7 PID 752 wrote to memory of 496 752 svchost.exe 8 PID 752 wrote to memory of 496 752 svchost.exe 8 PID 752 wrote to memory of 496 752 svchost.exe 8 PID 752 wrote to memory of 496 752 svchost.exe 8 PID 752 wrote to memory of 496 752 svchost.exe 8
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:380
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:596
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1228
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1376
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:672
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:744
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:812
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1108
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:856
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:976
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:296
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1028
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1052
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1132
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:2016
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1616
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:268
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:488
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:496
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:388
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:428
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_827810045474c584f000c7c121ac76f4.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_827810045474c584f000c7c121ac76f4.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize204KB
MD5e3d8cf58a0149c599b014484a9079cc2
SHA156b029f8b2e2e38bd73639a22aed7584f70c5ef1
SHA2565af80ed46b09102db3913bb1c9e942d8e00de8002961ea95d1d841e8464c78f4
SHA512e946ad61a63e5fc3ea064402f1125e687a0f6ab6a35f38e97bcbeb06b90070bf7204901337c771a9c0294bc931f748e46ed08ac67bfeee1bcbcacb8a8f11cc86
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize200KB
MD588a7d0967bbd1ab9bc7559088273613d
SHA157c5967f6e4022f0cb1f0964b59c5478461718d9
SHA256ecd01ae056d8e421c8aa0c0011ebdf79d1cd01c4531cd83a801ceb2e5e3d20c7
SHA512d75d511de3418a7b9413d1d6b03fb375d89ccab0e96a16469b3a1cf00936e374fb9fe3a6901be95778d48e7f8f981bf60cd4b107522f202e000871a2fb2ecefb
-
Filesize
95KB
MD5827810045474c584f000c7c121ac76f4
SHA1ca0439b44f0b124d3514806af0de945873a5101f
SHA2561a2a7c809c05805f7b5b02c4856415f8c350659b58e69a7bf178ff3fc4651eee
SHA512fdd2af88aa2ef8596977beef2e9e11a64e48ee7e62a1a5b0e064b59689cebac5a38033d6455d071ec2aab1c1c08520cf6d4687bb443a33d794ef442a7daa9473