Analysis
-
max time kernel
100s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/03/2025, 20:54
Static task
static1
Behavioral task
behavioral1
Sample
08.msi
Resource
win11-20250313-en
General
-
Target
08.msi
-
Size
5.7MB
-
MD5
436b14fb3637af66cfd787869decbb6f
-
SHA1
b94dab2a8de781973507172017019f0d89527056
-
SHA256
1bd7e0c46933e8dc11cb5375fe14600575ceed6f09fc14fc8b56032524f8bb42
-
SHA512
caad869b295e222c0999a8eee8f270e2d1b937484c69cbf9154211db4f30237d4277ae1549e34fe842f8dbf72660c2d3023eb65bad90d07cec2a23f902b2c0dd
-
SSDEEP
98304:9Yrd1ALFlGmyUMCW/x/64I7gXbzZFx7eG7eI243u/HyuuOneWFug3X:2yFlPyU32i4ISNh5243u/HAlW
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/3864-76-0x0000000000400000-0x00000000004D4000-memory.dmp family_sectoprat -
Sectoprat family
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5092 set thread context of 4860 5092 VSAddIn.exe 93 PID 5092 set thread context of 5964 5092 VSAddIn.exe 95 PID 4860 set thread context of 3864 4860 MSBuild.exe 98 -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF2A882AC3BBF6A098.TMP msiexec.exe File created C:\Windows\Installer\e57832e.msi msiexec.exe File created C:\Windows\SystemTemp\~DF01F6DA617D32CF7B.TMP msiexec.exe File created C:\Windows\Installer\e57832a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8378.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI84F1.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF83907AB47D031357.TMP msiexec.exe File opened for modification C:\Windows\Installer\e57832a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8502.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{CD2595F7-232E-492D-BE80-BB47C13C86A8} msiexec.exe File opened for modification C:\Windows\Installer\MSI84B2.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF2752948DC88C623D.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI8551.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 5092 VSAddIn.exe -
Loads dropped DLL 4 IoCs
pid Process 2304 MsiExec.exe 2304 MsiExec.exe 2304 MsiExec.exe 2304 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4188 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000863705d3f43de89a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000863705d30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900863705d3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d863705d3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000863705d300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2860 msiexec.exe 2860 msiexec.exe 5092 VSAddIn.exe 5092 VSAddIn.exe 5092 VSAddIn.exe 5092 VSAddIn.exe 4860 MSBuild.exe 4860 MSBuild.exe 4860 MSBuild.exe 4860 MSBuild.exe 4860 MSBuild.exe 4860 MSBuild.exe 4860 MSBuild.exe 4860 MSBuild.exe 5964 more.com 5964 more.com 3864 MSBuild.exe 3864 MSBuild.exe 3864 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 5092 VSAddIn.exe 5092 VSAddIn.exe 5092 VSAddIn.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4188 msiexec.exe Token: SeIncreaseQuotaPrivilege 4188 msiexec.exe Token: SeSecurityPrivilege 2860 msiexec.exe Token: SeCreateTokenPrivilege 4188 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4188 msiexec.exe Token: SeLockMemoryPrivilege 4188 msiexec.exe Token: SeIncreaseQuotaPrivilege 4188 msiexec.exe Token: SeMachineAccountPrivilege 4188 msiexec.exe Token: SeTcbPrivilege 4188 msiexec.exe Token: SeSecurityPrivilege 4188 msiexec.exe Token: SeTakeOwnershipPrivilege 4188 msiexec.exe Token: SeLoadDriverPrivilege 4188 msiexec.exe Token: SeSystemProfilePrivilege 4188 msiexec.exe Token: SeSystemtimePrivilege 4188 msiexec.exe Token: SeProfSingleProcessPrivilege 4188 msiexec.exe Token: SeIncBasePriorityPrivilege 4188 msiexec.exe Token: SeCreatePagefilePrivilege 4188 msiexec.exe Token: SeCreatePermanentPrivilege 4188 msiexec.exe Token: SeBackupPrivilege 4188 msiexec.exe Token: SeRestorePrivilege 4188 msiexec.exe Token: SeShutdownPrivilege 4188 msiexec.exe Token: SeDebugPrivilege 4188 msiexec.exe Token: SeAuditPrivilege 4188 msiexec.exe Token: SeSystemEnvironmentPrivilege 4188 msiexec.exe Token: SeChangeNotifyPrivilege 4188 msiexec.exe Token: SeRemoteShutdownPrivilege 4188 msiexec.exe Token: SeUndockPrivilege 4188 msiexec.exe Token: SeSyncAgentPrivilege 4188 msiexec.exe Token: SeEnableDelegationPrivilege 4188 msiexec.exe Token: SeManageVolumePrivilege 4188 msiexec.exe Token: SeImpersonatePrivilege 4188 msiexec.exe Token: SeCreateGlobalPrivilege 4188 msiexec.exe Token: SeBackupPrivilege 904 vssvc.exe Token: SeRestorePrivilege 904 vssvc.exe Token: SeAuditPrivilege 904 vssvc.exe Token: SeBackupPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe Token: SeTakeOwnershipPrivilege 2860 msiexec.exe Token: SeRestorePrivilege 2860 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4188 msiexec.exe 4188 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3864 MSBuild.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2860 wrote to memory of 5156 2860 msiexec.exe 89 PID 2860 wrote to memory of 5156 2860 msiexec.exe 89 PID 2860 wrote to memory of 2304 2860 msiexec.exe 91 PID 2860 wrote to memory of 2304 2860 msiexec.exe 91 PID 2860 wrote to memory of 2304 2860 msiexec.exe 91 PID 2860 wrote to memory of 5092 2860 msiexec.exe 92 PID 2860 wrote to memory of 5092 2860 msiexec.exe 92 PID 5092 wrote to memory of 4860 5092 VSAddIn.exe 93 PID 5092 wrote to memory of 4860 5092 VSAddIn.exe 93 PID 5092 wrote to memory of 4860 5092 VSAddIn.exe 93 PID 5092 wrote to memory of 4860 5092 VSAddIn.exe 93 PID 5092 wrote to memory of 4860 5092 VSAddIn.exe 93 PID 4860 wrote to memory of 1968 4860 MSBuild.exe 94 PID 4860 wrote to memory of 1968 4860 MSBuild.exe 94 PID 4860 wrote to memory of 1968 4860 MSBuild.exe 94 PID 4860 wrote to memory of 1968 4860 MSBuild.exe 94 PID 4860 wrote to memory of 1968 4860 MSBuild.exe 94 PID 4860 wrote to memory of 1968 4860 MSBuild.exe 94 PID 4860 wrote to memory of 1968 4860 MSBuild.exe 94 PID 4860 wrote to memory of 1968 4860 MSBuild.exe 94 PID 5092 wrote to memory of 5964 5092 VSAddIn.exe 95 PID 5092 wrote to memory of 5964 5092 VSAddIn.exe 95 PID 5092 wrote to memory of 5964 5092 VSAddIn.exe 95 PID 4860 wrote to memory of 776 4860 MSBuild.exe 97 PID 4860 wrote to memory of 776 4860 MSBuild.exe 97 PID 4860 wrote to memory of 776 4860 MSBuild.exe 97 PID 4860 wrote to memory of 776 4860 MSBuild.exe 97 PID 4860 wrote to memory of 776 4860 MSBuild.exe 97 PID 4860 wrote to memory of 776 4860 MSBuild.exe 97 PID 4860 wrote to memory of 776 4860 MSBuild.exe 97 PID 4860 wrote to memory of 776 4860 MSBuild.exe 97 PID 4860 wrote to memory of 3864 4860 MSBuild.exe 98 PID 4860 wrote to memory of 3864 4860 MSBuild.exe 98 PID 4860 wrote to memory of 3864 4860 MSBuild.exe 98 PID 4860 wrote to memory of 3864 4860 MSBuild.exe 98 PID 4860 wrote to memory of 3864 4860 MSBuild.exe 98 PID 4860 wrote to memory of 3864 4860 MSBuild.exe 98 PID 4860 wrote to memory of 3864 4860 MSBuild.exe 98 PID 4860 wrote to memory of 3864 4860 MSBuild.exe 98 PID 5092 wrote to memory of 5964 5092 VSAddIn.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\08.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4188
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:5156
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2BE6466BF0772D268F235A21F46A5B772⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Users\Admin\AppData\Roaming\Causerie\VSAddIn.exe"C:\Users\Admin\AppData\Roaming\Causerie\VSAddIn.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:1968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵PID:776
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3864
-
-
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5964
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5ea99f0195ad24d6ac8dc7d5323c1e14e
SHA1a37b0a686a769f8ee436675c906b30e1e86e0359
SHA256a6a2eba00179f8a186e899e64a6d6db5e1795c0ffc541b91f3f1cc46eadbeed8
SHA5123ef29924a22a256002d5ef79447079f13b5ed320f0e46baceb8356c71c08d7cab88e4d63079a3b2b5a98259af9b5afa95044f2e9e7c3769ff4e6e7b7d90afefa
-
Filesize
1KB
MD5ffb140dfd576f350cd6e43bc755bb764
SHA17078662523d38796d6bbcb40352ec59d61ddde19
SHA25694c610c55d71e9d39fc03adb85dbf09b556639b60ed6a86f335154f781889332
SHA512864049e35993fa3c08eec0187ec0d67bd681620ad851f84787a4872bb569fae0f1b3aeec6990ccdc325d36fa004e2157098bd112fa5f43caa6a4aafbc0c0678a
-
Filesize
1.9MB
MD5eb7417474afce7ec5a8c818c5502c1a8
SHA1f8fa2e3e21d47265915a7a7d5a51e19509b22038
SHA256886fe661e800ac08116c96e67a76ce302b7bebe60b52415a0fcdd50526792850
SHA512ea2489a15766b70835c609de6cfdf152b5a519e7fa1cfb56e202ca1dc60119c543c97f53cee4d85244d55784181de7c5f366fa643fcae83d954ce870e8ba58b7
-
Filesize
2.3MB
MD554b0adf6326b6e10395a2f6f7d3498ae
SHA1aaadce06b8b22835f8ec0e9a9232c989a266cc3d
SHA256948902714b151b42cf9ee90b87bc2ded129d114bd564e6e932579e56caefea3c
SHA512be1daf536018a131bc93274c9d8eef9f7fdbb05d431b19f469eefe3ed9d7add511592592d0f8f80adc5ae759d55a5c84509ddca9d842a3945fe70cb496a1f22a
-
Filesize
386KB
MD572b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
Filesize
5.7MB
MD5436b14fb3637af66cfd787869decbb6f
SHA1b94dab2a8de781973507172017019f0d89527056
SHA2561bd7e0c46933e8dc11cb5375fe14600575ceed6f09fc14fc8b56032524f8bb42
SHA512caad869b295e222c0999a8eee8f270e2d1b937484c69cbf9154211db4f30237d4277ae1549e34fe842f8dbf72660c2d3023eb65bad90d07cec2a23f902b2c0dd
-
Filesize
24.6MB
MD59a208917548f4aa8199c14c563cabdc7
SHA13438534395c64748416180d4251a2b8f6c6ff5a4
SHA256eac4de0034dd000635812649c5ce679cdc1c594ecd1420004ad6fc3d660b1248
SHA5128dd333e4bb05dda55f6c32be2303ac7e4165368879763892f2859642d16163719f26ee028b1993629e3294043cfd4a3fabe6e4c6376724d5a3546d499e9b467f
-
\??\Volume{d3053786-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{61b78a62-4f79-4fc7-a1ca-cea77f1179dd}_OnDiskSnapshotProp
Filesize6KB
MD51d8b8981cafca3d0881daa6b910add97
SHA16e68e943a9316f2c28e2fd7dbd210408d1667cd7
SHA256fbf24cf24342a6abe8a49e5ca2d3ea71439ccd1d9fabaa2817b76f9c988b94b1
SHA51204bd1dde1e14b30652431eb0f81c02b6578a1492d5671cf250f02033f8d0ce2c34938b5bb3fb9e8ddca7b9ecb2d842d1c0bf0a7b4ca6b850a61ea99be3ed10a6