Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 13:11
Behavioral task
behavioral1
Sample
0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe
Resource
win10v2004-20241007-en
General
-
Target
0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe
-
Size
1.5MB
-
MD5
93e6a9ffe500c907cf198a2dde600260
-
SHA1
e419285cf1d637faab23fbb3abcc11aa1a696340
-
SHA256
0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654
-
SHA512
53dacc2e1b5c704e589d257747e031c5368f1dade643f1b989cd91b503ec87dc846abcbb3f6f9643f70a54f8238bab395a2e3393cea9697fa3bdc854a369fae8
-
SSDEEP
12288:Y+Qf9NxkERr1JzrDTzz7wHxhW88KH6Yn77TCNp8jToZGrhR0ZooSl:Ox0j8KaYnfTYp8/oZMGZi
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 6 IoCs
resource yara_rule behavioral1/memory/2964-68-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral1/memory/2964-56-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral1/memory/2964-73-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral1/memory/2964-77-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral1/memory/2964-79-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades behavioral1/memory/2964-82-0x0000000000400000-0x000000000045D000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 2196 winlogon.exe 2964 winlogon.exe 2836 winlogon.exe -
Loads dropped DLL 7 IoCs
pid Process 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 2196 winlogon.exe 2196 winlogon.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe" reg.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2196 set thread context of 2964 2196 winlogon.exe 34 PID 2196 set thread context of 2836 2196 winlogon.exe 35 -
resource yara_rule behavioral1/memory/2404-0-0x0000000000400000-0x000000000058F000-memory.dmp upx behavioral1/files/0x00080000000186ee-27.dat upx behavioral1/memory/2404-47-0x0000000000400000-0x000000000058F000-memory.dmp upx behavioral1/memory/2196-50-0x0000000000400000-0x000000000058F000-memory.dmp upx behavioral1/memory/2836-69-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2964-68-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2836-64-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2836-63-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2964-51-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2196-67-0x0000000000400000-0x000000000058F000-memory.dmp upx behavioral1/memory/2836-60-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2964-56-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2964-55-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2964-73-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2836-74-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2964-77-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2964-79-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/2964-82-0x0000000000400000-0x000000000045D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2508 reg.exe 2668 reg.exe 2628 reg.exe 1316 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: 1 2964 winlogon.exe Token: SeCreateTokenPrivilege 2964 winlogon.exe Token: SeAssignPrimaryTokenPrivilege 2964 winlogon.exe Token: SeLockMemoryPrivilege 2964 winlogon.exe Token: SeIncreaseQuotaPrivilege 2964 winlogon.exe Token: SeMachineAccountPrivilege 2964 winlogon.exe Token: SeTcbPrivilege 2964 winlogon.exe Token: SeSecurityPrivilege 2964 winlogon.exe Token: SeTakeOwnershipPrivilege 2964 winlogon.exe Token: SeLoadDriverPrivilege 2964 winlogon.exe Token: SeSystemProfilePrivilege 2964 winlogon.exe Token: SeSystemtimePrivilege 2964 winlogon.exe Token: SeProfSingleProcessPrivilege 2964 winlogon.exe Token: SeIncBasePriorityPrivilege 2964 winlogon.exe Token: SeCreatePagefilePrivilege 2964 winlogon.exe Token: SeCreatePermanentPrivilege 2964 winlogon.exe Token: SeBackupPrivilege 2964 winlogon.exe Token: SeRestorePrivilege 2964 winlogon.exe Token: SeShutdownPrivilege 2964 winlogon.exe Token: SeDebugPrivilege 2964 winlogon.exe Token: SeAuditPrivilege 2964 winlogon.exe Token: SeSystemEnvironmentPrivilege 2964 winlogon.exe Token: SeChangeNotifyPrivilege 2964 winlogon.exe Token: SeRemoteShutdownPrivilege 2964 winlogon.exe Token: SeUndockPrivilege 2964 winlogon.exe Token: SeSyncAgentPrivilege 2964 winlogon.exe Token: SeEnableDelegationPrivilege 2964 winlogon.exe Token: SeManageVolumePrivilege 2964 winlogon.exe Token: SeImpersonatePrivilege 2964 winlogon.exe Token: SeCreateGlobalPrivilege 2964 winlogon.exe Token: 31 2964 winlogon.exe Token: 32 2964 winlogon.exe Token: 33 2964 winlogon.exe Token: 34 2964 winlogon.exe Token: 35 2964 winlogon.exe Token: SeDebugPrivilege 2836 winlogon.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 2196 winlogon.exe 2964 winlogon.exe 2964 winlogon.exe 2836 winlogon.exe 2964 winlogon.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 2404 wrote to memory of 2444 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 30 PID 2404 wrote to memory of 2444 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 30 PID 2404 wrote to memory of 2444 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 30 PID 2404 wrote to memory of 2444 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 30 PID 2444 wrote to memory of 2888 2444 cmd.exe 32 PID 2444 wrote to memory of 2888 2444 cmd.exe 32 PID 2444 wrote to memory of 2888 2444 cmd.exe 32 PID 2444 wrote to memory of 2888 2444 cmd.exe 32 PID 2404 wrote to memory of 2196 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 33 PID 2404 wrote to memory of 2196 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 33 PID 2404 wrote to memory of 2196 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 33 PID 2404 wrote to memory of 2196 2404 0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe 33 PID 2196 wrote to memory of 2964 2196 winlogon.exe 34 PID 2196 wrote to memory of 2964 2196 winlogon.exe 34 PID 2196 wrote to memory of 2964 2196 winlogon.exe 34 PID 2196 wrote to memory of 2964 2196 winlogon.exe 34 PID 2196 wrote to memory of 2964 2196 winlogon.exe 34 PID 2196 wrote to memory of 2964 2196 winlogon.exe 34 PID 2196 wrote to memory of 2964 2196 winlogon.exe 34 PID 2196 wrote to memory of 2964 2196 winlogon.exe 34 PID 2196 wrote to memory of 2964 2196 winlogon.exe 34 PID 2196 wrote to memory of 2836 2196 winlogon.exe 35 PID 2196 wrote to memory of 2836 2196 winlogon.exe 35 PID 2196 wrote to memory of 2836 2196 winlogon.exe 35 PID 2196 wrote to memory of 2836 2196 winlogon.exe 35 PID 2196 wrote to memory of 2836 2196 winlogon.exe 35 PID 2196 wrote to memory of 2836 2196 winlogon.exe 35 PID 2196 wrote to memory of 2836 2196 winlogon.exe 35 PID 2196 wrote to memory of 2836 2196 winlogon.exe 35 PID 2196 wrote to memory of 2836 2196 winlogon.exe 35 PID 2964 wrote to memory of 2880 2964 winlogon.exe 36 PID 2964 wrote to memory of 2880 2964 winlogon.exe 36 PID 2964 wrote to memory of 2880 2964 winlogon.exe 36 PID 2964 wrote to memory of 2880 2964 winlogon.exe 36 PID 2964 wrote to memory of 2624 2964 winlogon.exe 37 PID 2964 wrote to memory of 2624 2964 winlogon.exe 37 PID 2964 wrote to memory of 2624 2964 winlogon.exe 37 PID 2964 wrote to memory of 2624 2964 winlogon.exe 37 PID 2964 wrote to memory of 2620 2964 winlogon.exe 38 PID 2964 wrote to memory of 2620 2964 winlogon.exe 38 PID 2964 wrote to memory of 2620 2964 winlogon.exe 38 PID 2964 wrote to memory of 2620 2964 winlogon.exe 38 PID 2624 wrote to memory of 2628 2624 cmd.exe 43 PID 2624 wrote to memory of 2628 2624 cmd.exe 43 PID 2624 wrote to memory of 2628 2624 cmd.exe 43 PID 2624 wrote to memory of 2628 2624 cmd.exe 43 PID 2880 wrote to memory of 2668 2880 cmd.exe 44 PID 2880 wrote to memory of 2668 2880 cmd.exe 44 PID 2880 wrote to memory of 2668 2880 cmd.exe 44 PID 2880 wrote to memory of 2668 2880 cmd.exe 44 PID 2620 wrote to memory of 2508 2620 cmd.exe 45 PID 2620 wrote to memory of 2508 2620 cmd.exe 45 PID 2620 wrote to memory of 2508 2620 cmd.exe 45 PID 2620 wrote to memory of 2508 2620 cmd.exe 45 PID 2964 wrote to memory of 2768 2964 winlogon.exe 40 PID 2964 wrote to memory of 2768 2964 winlogon.exe 40 PID 2964 wrote to memory of 2768 2964 winlogon.exe 40 PID 2964 wrote to memory of 2768 2964 winlogon.exe 40 PID 2768 wrote to memory of 1316 2768 cmd.exe 47 PID 2768 wrote to memory of 1316 2768 cmd.exe 47 PID 2768 wrote to memory of 1316 2768 cmd.exe 47 PID 2768 wrote to memory of 1316 2768 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe"C:\Users\Admin\AppData\Local\Temp\0c7ef5b38a3667edb2b77df7e68219a68e68d81519b70002380ce5809b9c5654N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QcLwj.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2888
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2668
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2508
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1316
-
-
-
-
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2836
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD54da6717f2c70f4bd32ad33a227a2ff47
SHA13d7f7159e1f695bd469287d1ad4ffa0841b407a8
SHA256a12bb2e5d2fb0b3c400ce311fae72995a00b57a97d23e4b9effec47cff189d07
SHA5126765314054ad9bf2164058248f3d3a17775176925abbe4376aec030dca3a5e59be8b9e96139941fec2b2e1a9bff38f87abdb29ea09a299d8ab7e23ecec4083df
-
Filesize
1.5MB
MD57657135c687ce5c8b6371ff3df5aa93d
SHA1aca59350ec9dfe3af7aaa8329c7f61f18a6df96d
SHA25646e2b1d4daa21fd6954e460771a7e2acfa4ea8074ba9b7f19497e57e71456f8f
SHA5120fc1bb068b71433c8cc2636aca547e05a0db459229241a389b34430ecd920038bfddfcbd78df91ecbcb362e6af60f3d0ed61dfaf5b7d41ed731b0515d025baff