Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
190s -
max time network
227s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 21:49
Static task
static1
Behavioral task
behavioral1
Sample
9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe
Resource
win7-20220812-en
General
-
Target
9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe
-
Size
2.6MB
-
MD5
4bfaf4334b36db4e10e1c7e63a6889af
-
SHA1
77b2ee9f7e39d548f42da877bda97bff83e9315e
-
SHA256
9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c
-
SHA512
4546dc9ba1180038c2f2015c0db1cbed07ac3a042010c2f232104b2e60c7f36614208fa648f7183da99a4c301a0cd9a721eecabd0ca3588c57aa465de312d8d9
-
SSDEEP
49152:gfJ3tfIakU9sxt4jL148SgiQbEf1AnjxN3NIy0kbp0ik1LrhPm:gfJ9fRkU9sxtQOgPbaajxzIobp0iE
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe -
resource yara_rule behavioral2/memory/4268-134-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-136-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-137-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-138-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-139-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-141-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-143-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-145-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-147-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-149-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-151-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-157-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-155-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-159-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-153-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-161-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-163-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-165-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-167-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-171-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-173-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-169-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-175-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-177-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-179-0x0000000010000000-0x000000001003D000-memory.dmp upx behavioral2/memory/4268-184-0x0000000010000000-0x000000001003D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Wine 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2272 4268 WerFault.exe 82 4712 4268 WerFault.exe 82 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{14812606-6E6C-11ED-BF5F-7295FC24CA51} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{147EC300-6E6C-11ED-BF5F-7295FC24CA51} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: 33 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe Token: SeIncBasePriorityPrivilege 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2640 iexplore.exe 2300 iexplore.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe 2300 iexplore.exe 2300 iexplore.exe 2640 iexplore.exe 2640 iexplore.exe 4036 IEXPLORE.EXE 4036 IEXPLORE.EXE 3208 IEXPLORE.EXE 3208 IEXPLORE.EXE 3208 IEXPLORE.EXE 3208 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4268 wrote to memory of 2640 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe 90 PID 4268 wrote to memory of 2640 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe 90 PID 4268 wrote to memory of 2300 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe 91 PID 4268 wrote to memory of 2300 4268 9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe 91 PID 2640 wrote to memory of 3208 2640 iexplore.exe 97 PID 2640 wrote to memory of 3208 2640 iexplore.exe 97 PID 2640 wrote to memory of 3208 2640 iexplore.exe 97 PID 2300 wrote to memory of 4036 2300 iexplore.exe 96 PID 2300 wrote to memory of 4036 2300 iexplore.exe 96 PID 2300 wrote to memory of 4036 2300 iexplore.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe"C:\Users\Admin\AppData\Local\Temp\9d2567186d3a196374a2d2bcde216cabe171a8412e5de385e3b2337597d6d18c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://schftx.taobao.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3208
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.weishiwg.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4036
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 23002⤵
- Program crash
PID:2272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 17922⤵
- Program crash
PID:4712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4268 -ip 42681⤵PID:4040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4268 -ip 42681⤵PID:1300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{147EC300-6E6C-11ED-BF5F-7295FC24CA51}.dat
Filesize5KB
MD56b0b043791a0282cbc43b96983ae3b40
SHA14afd54f9cf5c50e2a06254c86ce29f4f895c93d4
SHA256504bc0e925dc2e75a4d34795cf214aae403df64f96b149e5c2e2f3a3f2116072
SHA5122117f5798cc68052f0d0048f155121dc616c06f88f6a2b47af9344946aa46b8d6fd4d99011505765b6819b47e84fddadf32940e5824b9bd21045cb44b2ea4be4
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{14812606-6E6C-11ED-BF5F-7295FC24CA51}.dat
Filesize5KB
MD5faa1990830b235f3030812ed7e4d3993
SHA156e368ff9a6eddf8c5bdd323e10a8464b0952390
SHA25616d779d1dac1e5e155dec091d966699fa9ce461d82f79e5dd352650f13bac2ce
SHA512b10771f8d0c32d11aa1d23635c7382698a6b6ea527451ed983fa033cdca88fcccf233001d642ea186d23881c41545b3e17f509f90915210c628c06e8ecfaeefb