Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/02/2025, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe
Resource
win10v2004-20250207-en
General
-
Target
773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe
-
Size
604KB
-
MD5
55cca528a03ec3a98137c46271f3f657
-
SHA1
49a044a803a4e3c0887971b212ca69552b72275f
-
SHA256
773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc
-
SHA512
c3cbad0c4401ea966d9f10cff5ccc3ddceca69d95afc81183c5abc57fffcca46c5f28d7daf0d99ec8275289a82b1f2e7946e899d0971348934eac07fec780d66
-
SSDEEP
12288:NcHg+OMkYnx+ZkeeUE9EylqAUB7ftCwYTJ0Q+iK:NJ86eUyEQ/OtI1c
Malware Config
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\RUNE.exe = "C:\\Users\\Admin\\AppData\\Roaming\\RUNE.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\svchost.exe = "C:\\Windows\\SysWOW64\\svchost.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 2 IoCs
pid Process 2200 Jload.exe 744 Jload.exe -
Loads dropped DLL 5 IoCs
pid Process 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jload = "C:\\Users\\Admin\\AppData\\Roaming\\Jload\\Jload.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2180 set thread context of 2580 2180 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 30 PID 2200 set thread context of 744 2200 Jload.exe 35 PID 2200 set thread context of 2436 2200 Jload.exe 36 -
resource yara_rule behavioral1/memory/2580-432-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/744-977-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2580-998-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/744-1003-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2100 reg.exe 2380 reg.exe 1788 reg.exe 2376 reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 1 2436 svchost.exe Token: SeCreateTokenPrivilege 2436 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2436 svchost.exe Token: SeLockMemoryPrivilege 2436 svchost.exe Token: SeIncreaseQuotaPrivilege 2436 svchost.exe Token: SeMachineAccountPrivilege 2436 svchost.exe Token: SeTcbPrivilege 2436 svchost.exe Token: SeSecurityPrivilege 2436 svchost.exe Token: SeTakeOwnershipPrivilege 2436 svchost.exe Token: SeLoadDriverPrivilege 2436 svchost.exe Token: SeSystemProfilePrivilege 2436 svchost.exe Token: SeSystemtimePrivilege 2436 svchost.exe Token: SeProfSingleProcessPrivilege 2436 svchost.exe Token: SeIncBasePriorityPrivilege 2436 svchost.exe Token: SeCreatePagefilePrivilege 2436 svchost.exe Token: SeCreatePermanentPrivilege 2436 svchost.exe Token: SeBackupPrivilege 2436 svchost.exe Token: SeRestorePrivilege 2436 svchost.exe Token: SeShutdownPrivilege 2436 svchost.exe Token: SeDebugPrivilege 2436 svchost.exe Token: SeAuditPrivilege 2436 svchost.exe Token: SeSystemEnvironmentPrivilege 2436 svchost.exe Token: SeChangeNotifyPrivilege 2436 svchost.exe Token: SeRemoteShutdownPrivilege 2436 svchost.exe Token: SeUndockPrivilege 2436 svchost.exe Token: SeSyncAgentPrivilege 2436 svchost.exe Token: SeEnableDelegationPrivilege 2436 svchost.exe Token: SeManageVolumePrivilege 2436 svchost.exe Token: SeImpersonatePrivilege 2436 svchost.exe Token: SeCreateGlobalPrivilege 2436 svchost.exe Token: 31 2436 svchost.exe Token: 32 2436 svchost.exe Token: 33 2436 svchost.exe Token: 34 2436 svchost.exe Token: 35 2436 svchost.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe Token: SeDebugPrivilege 744 Jload.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2180 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 2200 Jload.exe 2436 svchost.exe 2436 svchost.exe 744 Jload.exe 2436 svchost.exe 2436 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2580 2180 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 30 PID 2180 wrote to memory of 2580 2180 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 30 PID 2180 wrote to memory of 2580 2180 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 30 PID 2180 wrote to memory of 2580 2180 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 30 PID 2180 wrote to memory of 2580 2180 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 30 PID 2180 wrote to memory of 2580 2180 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 30 PID 2180 wrote to memory of 2580 2180 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 30 PID 2180 wrote to memory of 2580 2180 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 30 PID 2580 wrote to memory of 668 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 31 PID 2580 wrote to memory of 668 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 31 PID 2580 wrote to memory of 668 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 31 PID 2580 wrote to memory of 668 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 31 PID 668 wrote to memory of 2644 668 cmd.exe 33 PID 668 wrote to memory of 2644 668 cmd.exe 33 PID 668 wrote to memory of 2644 668 cmd.exe 33 PID 668 wrote to memory of 2644 668 cmd.exe 33 PID 2580 wrote to memory of 2200 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 34 PID 2580 wrote to memory of 2200 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 34 PID 2580 wrote to memory of 2200 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 34 PID 2580 wrote to memory of 2200 2580 773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe 34 PID 2200 wrote to memory of 744 2200 Jload.exe 35 PID 2200 wrote to memory of 744 2200 Jload.exe 35 PID 2200 wrote to memory of 744 2200 Jload.exe 35 PID 2200 wrote to memory of 744 2200 Jload.exe 35 PID 2200 wrote to memory of 744 2200 Jload.exe 35 PID 2200 wrote to memory of 744 2200 Jload.exe 35 PID 2200 wrote to memory of 744 2200 Jload.exe 35 PID 2200 wrote to memory of 744 2200 Jload.exe 35 PID 2200 wrote to memory of 2436 2200 Jload.exe 36 PID 2200 wrote to memory of 2436 2200 Jload.exe 36 PID 2200 wrote to memory of 2436 2200 Jload.exe 36 PID 2200 wrote to memory of 2436 2200 Jload.exe 36 PID 2200 wrote to memory of 2436 2200 Jload.exe 36 PID 2200 wrote to memory of 2436 2200 Jload.exe 36 PID 2200 wrote to memory of 2436 2200 Jload.exe 36 PID 2200 wrote to memory of 2436 2200 Jload.exe 36 PID 2436 wrote to memory of 2224 2436 svchost.exe 37 PID 2436 wrote to memory of 2224 2436 svchost.exe 37 PID 2436 wrote to memory of 2224 2436 svchost.exe 37 PID 2436 wrote to memory of 2224 2436 svchost.exe 37 PID 2436 wrote to memory of 1764 2436 svchost.exe 38 PID 2436 wrote to memory of 1764 2436 svchost.exe 38 PID 2436 wrote to memory of 1764 2436 svchost.exe 38 PID 2436 wrote to memory of 1764 2436 svchost.exe 38 PID 2436 wrote to memory of 1336 2436 svchost.exe 40 PID 2436 wrote to memory of 1336 2436 svchost.exe 40 PID 2436 wrote to memory of 1336 2436 svchost.exe 40 PID 2436 wrote to memory of 1336 2436 svchost.exe 40 PID 2436 wrote to memory of 2472 2436 svchost.exe 42 PID 2436 wrote to memory of 2472 2436 svchost.exe 42 PID 2436 wrote to memory of 2472 2436 svchost.exe 42 PID 2436 wrote to memory of 2472 2436 svchost.exe 42 PID 1336 wrote to memory of 1788 1336 cmd.exe 45 PID 1336 wrote to memory of 1788 1336 cmd.exe 45 PID 1336 wrote to memory of 1788 1336 cmd.exe 45 PID 1336 wrote to memory of 1788 1336 cmd.exe 45 PID 1764 wrote to memory of 2380 1764 cmd.exe 46 PID 1764 wrote to memory of 2380 1764 cmd.exe 46 PID 1764 wrote to memory of 2380 1764 cmd.exe 46 PID 1764 wrote to memory of 2380 1764 cmd.exe 46 PID 2224 wrote to memory of 2100 2224 cmd.exe 47 PID 2224 wrote to memory of 2100 2224 cmd.exe 47 PID 2224 wrote to memory of 2100 2224 cmd.exe 47 PID 2224 wrote to memory of 2100 2224 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JAUVJ.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Jload" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Jload\Jload.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2644
-
-
-
C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:744
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2100
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f5⤵
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f6⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2376
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD5bc18986a524cd5015b00135cbf312330
SHA165c0fa726aa3b129e2d94a5518186c3cd866f3c0
SHA256f27d92575749ef19cccc68a524662607f5be5ed2fb415fe7de4f4927f521709c
SHA512afae8a27a1c64fedd75e9786bbeb4fc8c21795bb2cfd23a749e8de3f102977b391186597d8892cce7be71360b264b22c38a2eaf9507375c1d4e75a5586e8db2e
-
Filesize
604KB
MD5e9675fc3fc2145e7559891b23441eeb7
SHA1333021a7645a1059e967462d40b49687f073338e
SHA2565e3d7553fca70c67b504edf002b5e5fc62c8c807b12cc16187c20c2a7ee56e03
SHA5121fce858516d71da74b44869bb0b64ccbb6bd9dfe1ccb6bfadeffd730b55270d0ce2eab0e84df4c3f72c91039008890e776bacfacceec7a111e103b8eef0987af