Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe
-
Size
808KB
-
MD5
7d88f1dc07795ebf10f9cb025c26df1c
-
SHA1
8b40bac4815a1f423bfb7392f3cd829d19a57425
-
SHA256
6099d3db49deb0b3e10f6ec70b77890facf037312ad54c3a5d279d7837ab3342
-
SHA512
9c8a0be31083ed5a0732b1ab5dd168dfd9b73d7939f78afba7827462863b1d2c3a8bf610927b30186a44957cd96129ca7c11e0f5a652084c53e36f8b8b2cb37e
-
SSDEEP
12288:RaTD5Z1TJnOKbSezj36YL/watEp1RMMTV+eFiGUCHF32:y5ZNJdbFfK6/lEpLTF9l
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 12 IoCs
resource yara_rule behavioral2/memory/5068-31-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-49-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-54-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-58-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-61-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-64-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-68-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-71-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-81-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-84-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-88-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades behavioral2/memory/5068-91-0x0000000000400000-0x0000000000471000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\lf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lf.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\lf.exe = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run lf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" lf.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" lf.exe Key created \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E} lf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" lf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A3CBAB9-CDDD-BCEE-FE93-8AEBEFCDFB5E} lf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe -
Executes dropped EXE 2 IoCs
pid Process 4960 Server.exe 5068 lf.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" lf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnmsngr = "C:\\Users\\Admin\\AppData\\Roaming\\lf.exe" lf.exe -
resource yara_rule behavioral2/files/0x000b000000023b85-23.dat upx behavioral2/memory/5068-31-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-49-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-54-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-58-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-61-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-64-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-68-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-71-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-81-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-84-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-88-0x0000000000400000-0x0000000000471000-memory.dmp upx behavioral2/memory/5068-91-0x0000000000400000-0x0000000000471000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 532 reg.exe 2568 reg.exe 3500 reg.exe 1960 reg.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4960 Server.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: 1 5068 lf.exe Token: SeCreateTokenPrivilege 5068 lf.exe Token: SeAssignPrimaryTokenPrivilege 5068 lf.exe Token: SeLockMemoryPrivilege 5068 lf.exe Token: SeIncreaseQuotaPrivilege 5068 lf.exe Token: SeMachineAccountPrivilege 5068 lf.exe Token: SeTcbPrivilege 5068 lf.exe Token: SeSecurityPrivilege 5068 lf.exe Token: SeTakeOwnershipPrivilege 5068 lf.exe Token: SeLoadDriverPrivilege 5068 lf.exe Token: SeSystemProfilePrivilege 5068 lf.exe Token: SeSystemtimePrivilege 5068 lf.exe Token: SeProfSingleProcessPrivilege 5068 lf.exe Token: SeIncBasePriorityPrivilege 5068 lf.exe Token: SeCreatePagefilePrivilege 5068 lf.exe Token: SeCreatePermanentPrivilege 5068 lf.exe Token: SeBackupPrivilege 5068 lf.exe Token: SeRestorePrivilege 5068 lf.exe Token: SeShutdownPrivilege 5068 lf.exe Token: SeDebugPrivilege 5068 lf.exe Token: SeAuditPrivilege 5068 lf.exe Token: SeSystemEnvironmentPrivilege 5068 lf.exe Token: SeChangeNotifyPrivilege 5068 lf.exe Token: SeRemoteShutdownPrivilege 5068 lf.exe Token: SeUndockPrivilege 5068 lf.exe Token: SeSyncAgentPrivilege 5068 lf.exe Token: SeEnableDelegationPrivilege 5068 lf.exe Token: SeManageVolumePrivilege 5068 lf.exe Token: SeImpersonatePrivilege 5068 lf.exe Token: SeCreateGlobalPrivilege 5068 lf.exe Token: 31 5068 lf.exe Token: 32 5068 lf.exe Token: 33 5068 lf.exe Token: 34 5068 lf.exe Token: 35 5068 lf.exe Token: SeDebugPrivilege 5068 lf.exe Token: SeDebugPrivilege 4960 Server.exe Token: SeRestorePrivilege 2844 dw20.exe Token: SeBackupPrivilege 2844 dw20.exe Token: SeBackupPrivilege 2844 dw20.exe Token: SeBackupPrivilege 2844 dw20.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5068 lf.exe 5068 lf.exe 5068 lf.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3284 wrote to memory of 4960 3284 JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe 86 PID 3284 wrote to memory of 4960 3284 JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe 86 PID 3284 wrote to memory of 4960 3284 JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe 86 PID 3284 wrote to memory of 5068 3284 JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe 87 PID 3284 wrote to memory of 5068 3284 JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe 87 PID 3284 wrote to memory of 5068 3284 JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe 87 PID 5068 wrote to memory of 3176 5068 lf.exe 88 PID 5068 wrote to memory of 3176 5068 lf.exe 88 PID 5068 wrote to memory of 3176 5068 lf.exe 88 PID 5068 wrote to memory of 2252 5068 lf.exe 89 PID 5068 wrote to memory of 2252 5068 lf.exe 89 PID 5068 wrote to memory of 2252 5068 lf.exe 89 PID 5068 wrote to memory of 2812 5068 lf.exe 91 PID 5068 wrote to memory of 2812 5068 lf.exe 91 PID 5068 wrote to memory of 2812 5068 lf.exe 91 PID 5068 wrote to memory of 3104 5068 lf.exe 92 PID 5068 wrote to memory of 3104 5068 lf.exe 92 PID 5068 wrote to memory of 3104 5068 lf.exe 92 PID 3176 wrote to memory of 532 3176 cmd.exe 96 PID 3176 wrote to memory of 532 3176 cmd.exe 96 PID 3176 wrote to memory of 532 3176 cmd.exe 96 PID 2252 wrote to memory of 3500 2252 cmd.exe 98 PID 2252 wrote to memory of 3500 2252 cmd.exe 98 PID 2252 wrote to memory of 3500 2252 cmd.exe 98 PID 2812 wrote to memory of 2568 2812 cmd.exe 97 PID 2812 wrote to memory of 2568 2812 cmd.exe 97 PID 2812 wrote to memory of 2568 2812 cmd.exe 97 PID 3104 wrote to memory of 1960 3104 cmd.exe 99 PID 3104 wrote to memory of 1960 3104 cmd.exe 99 PID 3104 wrote to memory of 1960 3104 cmd.exe 99 PID 4960 wrote to memory of 2844 4960 Server.exe 103 PID 4960 wrote to memory of 2844 4960 Server.exe 103 PID 4960 wrote to memory of 2844 4960 Server.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7d88f1dc07795ebf10f9cb025c26df1c.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 16203⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
C:\Users\Admin\AppData\Local\Temp\lf.exe"C:\Users\Admin\AppData\Local\Temp\lf.exe"2⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:532
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lf.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lf.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lf.exe:*:Enabled:Windows Messanger" /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\lf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\lf.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1960
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
MD5905275d0ae6990d7bedbb9d73798a3dc
SHA1c645701c8a28bc0baea626220588579793f55379
SHA2565e92fc7ff5e192de2edb60c1a58647c00a3613ec7d6868f06de910c9bee2967a
SHA512af3541b5d11a3faf80bdf5f3bdb508ebf4272d05099c66667062f20a46653b34c464598d9207e9b78d9cc89a53602781fed73352a3fdcc12561e4b64efdcc372
-
Filesize
160KB
MD526f12296da8d7d93a4113d03d255c6e7
SHA104c423ea8b5d9a4f4ec6ca872ee3455536371a3a
SHA256fc95ecc78c16f9fa946adfa8df03a4c5effc8f1b19b70a14d2a18530641c9739
SHA5129fc7a593a2c2241e732053f2f0ad028eabbb3a00565e11d9f96a921345ef93a2c62e21d7c189ea25428122aa97565d6223423fccf8dc622c646ef66c5f648c6b
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0