Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14/02/2025, 18:08
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe
Resource
win10v2004-20250211-en
General
-
Target
JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe
-
Size
3.2MB
-
MD5
fa7e7d5edba288e9a95e4900206fbf70
-
SHA1
f6102046c18472bc0b693704f21f17e705dbc439
-
SHA256
0d517d250b9e225215ad9b645b58684833571f2ef66509ad7c18a7a47fec7f64
-
SHA512
04b110915bced26833878d7e8ad5a3d9db8f34c6de3a44038cbf496c49197482ebc0717c0ae1539f89a18043d401e3ff0afcff41326ee2c8b9d52119fca3cd8e
-
SSDEEP
49152:4NjcJogDk4FTI5d81YkJ0CoiLNyOEe9hl3qJaMScJ0:
Malware Config
Signatures
-
Blackshades
Blackshades is a remote access trojan with various capabilities.
-
Blackshades family
-
Blackshades payload 11 IoCs
resource yara_rule behavioral1/memory/2100-48-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral1/memory/2100-45-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral1/memory/2100-60-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral1/memory/2100-61-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral1/memory/2100-62-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral1/memory/2100-64-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral1/memory/2100-65-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral1/memory/2100-68-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral1/memory/2100-69-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral1/memory/2100-73-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades behavioral1/memory/2100-74-0x0000000000400000-0x0000000000456000-memory.dmp family_blackshades -
Modifies firewall policy service 3 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\update.exe = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\update = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" vbc.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69E929BC-DBDA-CAEB-3DAE-BEFDD7DDE9FF} vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69E929BC-DBDA-CAEB-3DAE-BEFDD7DDE9FF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{69E929BC-DBDA-CAEB-3DAE-BEFDD7DDE9FF} vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components\{69E929BC-DBDA-CAEB-3DAE-BEFDD7DDE9FF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" vbc.exe -
Executes dropped EXE 2 IoCs
pid Process 1636 update2.exe 596 is63.exe -
Loads dropped DLL 6 IoCs
pid Process 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 1636 update2.exe 1636 update2.exe 1636 update2.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 596 set thread context of 2848 596 is63.exe 33 PID 1636 set thread context of 2100 1636 update2.exe 34 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language is63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2952 reg.exe 2536 reg.exe 1676 reg.exe 2700 reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1636 update2.exe 596 is63.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 1636 update2.exe Token: SeDebugPrivilege 596 is63.exe Token: 1 2100 vbc.exe Token: SeCreateTokenPrivilege 2100 vbc.exe Token: SeAssignPrimaryTokenPrivilege 2100 vbc.exe Token: SeLockMemoryPrivilege 2100 vbc.exe Token: SeIncreaseQuotaPrivilege 2100 vbc.exe Token: SeMachineAccountPrivilege 2100 vbc.exe Token: SeTcbPrivilege 2100 vbc.exe Token: SeSecurityPrivilege 2100 vbc.exe Token: SeTakeOwnershipPrivilege 2100 vbc.exe Token: SeLoadDriverPrivilege 2100 vbc.exe Token: SeSystemProfilePrivilege 2100 vbc.exe Token: SeSystemtimePrivilege 2100 vbc.exe Token: SeProfSingleProcessPrivilege 2100 vbc.exe Token: SeIncBasePriorityPrivilege 2100 vbc.exe Token: SeCreatePagefilePrivilege 2100 vbc.exe Token: SeCreatePermanentPrivilege 2100 vbc.exe Token: SeBackupPrivilege 2100 vbc.exe Token: SeRestorePrivilege 2100 vbc.exe Token: SeShutdownPrivilege 2100 vbc.exe Token: SeDebugPrivilege 2100 vbc.exe Token: SeAuditPrivilege 2100 vbc.exe Token: SeSystemEnvironmentPrivilege 2100 vbc.exe Token: SeChangeNotifyPrivilege 2100 vbc.exe Token: SeRemoteShutdownPrivilege 2100 vbc.exe Token: SeUndockPrivilege 2100 vbc.exe Token: SeSyncAgentPrivilege 2100 vbc.exe Token: SeEnableDelegationPrivilege 2100 vbc.exe Token: SeManageVolumePrivilege 2100 vbc.exe Token: SeImpersonatePrivilege 2100 vbc.exe Token: SeCreateGlobalPrivilege 2100 vbc.exe Token: 31 2100 vbc.exe Token: 32 2100 vbc.exe Token: 33 2100 vbc.exe Token: 34 2100 vbc.exe Token: 35 2100 vbc.exe Token: SeDebugPrivilege 2100 vbc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2100 vbc.exe 2100 vbc.exe 2100 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2344 wrote to memory of 1636 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 31 PID 2344 wrote to memory of 1636 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 31 PID 2344 wrote to memory of 1636 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 31 PID 2344 wrote to memory of 1636 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 31 PID 2344 wrote to memory of 1636 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 31 PID 2344 wrote to memory of 1636 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 31 PID 2344 wrote to memory of 1636 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 31 PID 2344 wrote to memory of 596 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 32 PID 2344 wrote to memory of 596 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 32 PID 2344 wrote to memory of 596 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 32 PID 2344 wrote to memory of 596 2344 JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe 32 PID 596 wrote to memory of 2848 596 is63.exe 33 PID 596 wrote to memory of 2848 596 is63.exe 33 PID 596 wrote to memory of 2848 596 is63.exe 33 PID 596 wrote to memory of 2848 596 is63.exe 33 PID 596 wrote to memory of 2848 596 is63.exe 33 PID 596 wrote to memory of 2848 596 is63.exe 33 PID 596 wrote to memory of 2848 596 is63.exe 33 PID 596 wrote to memory of 2848 596 is63.exe 33 PID 596 wrote to memory of 2848 596 is63.exe 33 PID 596 wrote to memory of 2848 596 is63.exe 33 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 1636 wrote to memory of 2100 1636 update2.exe 34 PID 2100 wrote to memory of 2696 2100 vbc.exe 35 PID 2100 wrote to memory of 2696 2100 vbc.exe 35 PID 2100 wrote to memory of 2696 2100 vbc.exe 35 PID 2100 wrote to memory of 2696 2100 vbc.exe 35 PID 2100 wrote to memory of 2696 2100 vbc.exe 35 PID 2100 wrote to memory of 2696 2100 vbc.exe 35 PID 2100 wrote to memory of 2696 2100 vbc.exe 35 PID 2100 wrote to memory of 2704 2100 vbc.exe 36 PID 2100 wrote to memory of 2704 2100 vbc.exe 36 PID 2100 wrote to memory of 2704 2100 vbc.exe 36 PID 2100 wrote to memory of 2704 2100 vbc.exe 36 PID 2100 wrote to memory of 2704 2100 vbc.exe 36 PID 2100 wrote to memory of 2704 2100 vbc.exe 36 PID 2100 wrote to memory of 2704 2100 vbc.exe 36 PID 2100 wrote to memory of 1624 2100 vbc.exe 37 PID 2100 wrote to memory of 1624 2100 vbc.exe 37 PID 2100 wrote to memory of 1624 2100 vbc.exe 37 PID 2100 wrote to memory of 1624 2100 vbc.exe 37 PID 2100 wrote to memory of 1624 2100 vbc.exe 37 PID 2100 wrote to memory of 1624 2100 vbc.exe 37 PID 2100 wrote to memory of 1624 2100 vbc.exe 37 PID 2100 wrote to memory of 2116 2100 vbc.exe 38 PID 2100 wrote to memory of 2116 2100 vbc.exe 38 PID 2100 wrote to memory of 2116 2100 vbc.exe 38 PID 2100 wrote to memory of 2116 2100 vbc.exe 38 PID 2100 wrote to memory of 2116 2100 vbc.exe 38 PID 2100 wrote to memory of 2116 2100 vbc.exe 38 PID 2100 wrote to memory of 2116 2100 vbc.exe 38 PID 2704 wrote to memory of 2700 2704 cmd.exe 43 PID 2704 wrote to memory of 2700 2704 cmd.exe 43 PID 2704 wrote to memory of 2700 2704 cmd.exe 43 PID 2704 wrote to memory of 2700 2704 cmd.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa7e7d5edba288e9a95e4900206fbf70.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\update2.exe"C:\Users\Admin\AppData\Local\Temp\update2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1676
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update.exe:*:Enabled:Windows Messanger" /f4⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\update.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\update.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2536
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is63.exe"C:\Users\Admin\AppData\Local\Temp\is63.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
612KB
MD55151fc17f564a6957f7638fac81b4189
SHA1cbae925ff16608cfd4bd1a9b65bd6db3f0acefc6
SHA2565c94615a6a6fe91013284e519a5168cb9d331a02d2232e0c16b31bc1647e3c72
SHA512f379dcd542ec3a59b5b91e38c2c1d3d2d99cf118f49e00d6195c3c4bee601ad2b46f30eeacf02db73bb0fcdb65128b1bc569a073e0f7aea874545c9faa01b5ca
-
Filesize
592KB
MD5773b23201407b8009404952159e8dc27
SHA152a48f92fd40530da17066b291bef66b6fae8f8a
SHA2565aa6487ff9ed17b6eca8e973bc829ff436bfd6cfb9b037a46bc7d3ab75001b9d
SHA512279171274dad941f91325e5c704eb556cf9ef180dda77754d50fe884ccea4b952d3f1ff5bc3e9b900fa48fc0098cad284630529fe202713d76e3f3f26be7d06e