Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 14:30
Static task
static1
Behavioral task
behavioral1
Sample
0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe
Resource
win10v2004-20220901-en
General
-
Target
0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe
-
Size
143KB
-
MD5
14274b2c7852ea88381c9267ffcca069
-
SHA1
00575f10993b892b33ade4378bc8c1824d7b3580
-
SHA256
0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203
-
SHA512
16450cb85fd158346218f5415200b870f54bf6b769a5dc98bf9d338127fba60dce33e52bcb9fbdf77d26b84a2e54d687116178ac59b58b4bc739311c7f18bb06
-
SSDEEP
3072:iN6ZekwVJIlgps5q9Eb648qwlS/+TfQO45Dn7:pe9IB83ID5z7
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\15b18462-2ad4-4d53-baba-4600dae7b9de.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221128114209.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1088 msedge.exe 1088 msedge.exe 4316 msedge.exe 4316 msedge.exe 5020 identity_helper.exe 5020 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 4316 msedge.exe 4316 msedge.exe 4316 msedge.exe 4316 msedge.exe 4316 msedge.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2324 0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe 4316 msedge.exe 4316 msedge.exe 4316 msedge.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2324 0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 4080 2324 0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe 87 PID 2324 wrote to memory of 4080 2324 0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe 87 PID 2324 wrote to memory of 4080 2324 0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe 87 PID 4080 wrote to memory of 4316 4080 cmd.exe 89 PID 4080 wrote to memory of 4316 4080 cmd.exe 89 PID 4316 wrote to memory of 4688 4316 msedge.exe 91 PID 4316 wrote to memory of 4688 4316 msedge.exe 91 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 3464 4316 msedge.exe 94 PID 4316 wrote to memory of 1088 4316 msedge.exe 95 PID 4316 wrote to memory of 1088 4316 msedge.exe 95 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96 PID 4316 wrote to memory of 2664 4316 msedge.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe"C:\Users\Admin\AppData\Local\Temp\0bfa2cc0d03575db5073e3482c0179307ba142b23d78c4b7a1cca8f8ee6eb203.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "start http://securedfileinfo.com/404.jsp?chid=4300109^&rsn=plde^&details=^|v6.2.9200x64sp0.0ws^|tt31^|dt0^|dc100^|fs-2^|dh0^|ec13^|se12007^|dr4^|ds0^|rs0^|p1"2⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://securedfileinfo.com/404.jsp?chid=4300109&rsn=plde&details=|v6.2.9200x64sp0.0ws|tt31|dt0|dc100|fs-2|dh0|ec13|se12007|dr4|ds0|rs0|p13⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc541146f8,0x7ffc54114708,0x7ffc541147184⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:24⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:84⤵PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:14⤵PID:484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:14⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4944 /prefetch:84⤵PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:14⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5204 /prefetch:84⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:14⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:14⤵PID:4720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:84⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
PID:2356 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff681575460,0x7ff681575470,0x7ff6815754805⤵PID:764
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:84⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,4747000534984408864,4848767510470596116,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:84⤵PID:4296
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD57ef66f502cb164d6d88fd779895d5e07
SHA175c68e887afe0041c18bc01dc36ae719db07a436
SHA256084f8949af79ac48c5c245e4bbeea807949d1e8e182e7d0487227231fcd97a77
SHA512419b6e5def7e1051af856ea4256235fa4f1bdbf001b54f1db9e59c44f7da8f9cfa8d63f77e35345ec6d5c3ab13de10094281d44f42a7e1fd9d92b3b68ac5ba9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4
Filesize472B
MD503ad9fc0b00b5df3165dc2fb1e3b0a3e
SHA1f8243335a8bc24d989bddd346048a055e1d0bdeb
SHA256366b28d491f7fd632e31c1ce97f939555f7dcee14bb6875737ed2d3e96fa32ec
SHA512a3cd8a001366e6c1b96d2b920d56e6efd34e9b69b9805e1a2b0c270346712e22420366f8bd18bbb1dd16fa60d481ad65b13385a66a3f1fa0d7aadaaa27b99796
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5d4fed352aec4d2c90869731b6e52c024
SHA1a7f5a24e061fa98ea46260c1eff803d6baeef8fa
SHA256aa86e4357dd4ea9565e4f3185ed307ab87953a1c24be0d1d573f24ffe3d54a76
SHA512eaa0bfa80f2c1611e145dbbd518ccb11e936010d15725aec14cfebcae434431fe65c57faf4ca3e9c283522fe1828fe83364fd3408d04c2ce251bcabcee52d8d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4
Filesize402B
MD5d33516c3f71157ccc3612cca521872f1
SHA1c407da38ff9cdd23c94e33ee11f58fa81deba324
SHA2563a43a602682eb9a3f0b766bc3e621c65e0c34f6f571c491bd759ee73adfc1497
SHA5121a1ef9e61c162f7d31af87d6cb16851ea2d20b93b9d7ce5f60946a0f14075cc7b1fa6e8b8c291685cce1f8305ba660dbe18514e30536ac41fbba3db06bfa6b41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD5892760e6bac14805b8e36d265b77ebb6
SHA13069bf72e748257231a76efed76da62fe2b5b3c6
SHA25642250a44c0d698b8a437ee31f4120d52db37ad1a7c0c390dc64b968587e15964
SHA5121c89d7195d62085c0c8b7dafd1a3a4b9fdb517b2fd232527ad982bb9a2e06497a959b2a3c89e61fd33ad5958871dd2f927a86b65d2e511cc9ab0e0fabd4b536b