Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
198s -
max time network
209s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
Resource
win10v2004-20221111-en
General
-
Target
8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe
-
Size
348KB
-
MD5
3909ca20eaf5f8f23af553418c9cb400
-
SHA1
b5069e4181276460ce4f364a74c3030f7da15c9d
-
SHA256
8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219
-
SHA512
349f9dbed04845cad7246261f577edf00c7e4f4692b658cb46d598e0993cf71a588ac23ee870651f0dadff63cf770bd7b3eaaf6143cde292b581c5dd74f16e84
-
SSDEEP
6144:gDCwfG1bnxLE3faDCwfG1bnxLE3fbmaGc:g72bntEi72bntEzTGc
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WIJBFSKT = "W_X_C.bat" WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 308 avscan.exe 4952 avscan.exe 4280 hosts.exe 4408 hosts.exe 2824 avscan.exe 3160 hosts.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run hosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created \??\c:\windows\W_X_C.bat 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe File opened for modification C:\Windows\hosts.exe 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe File created C:\windows\W_X_C.vbs 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 9 IoCs
pid Process 2224 REG.exe 1356 REG.exe 1272 REG.exe 1280 REG.exe 3472 REG.exe 480 REG.exe 3868 REG.exe 3560 REG.exe 3340 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 308 avscan.exe 4280 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5040 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe 308 avscan.exe 4952 avscan.exe 4280 hosts.exe 4408 hosts.exe 2824 avscan.exe 3160 hosts.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 5040 wrote to memory of 1272 5040 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe 81 PID 5040 wrote to memory of 1272 5040 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe 81 PID 5040 wrote to memory of 1272 5040 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe 81 PID 5040 wrote to memory of 308 5040 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe 83 PID 5040 wrote to memory of 308 5040 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe 83 PID 5040 wrote to memory of 308 5040 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe 83 PID 308 wrote to memory of 4952 308 avscan.exe 84 PID 308 wrote to memory of 4952 308 avscan.exe 84 PID 308 wrote to memory of 4952 308 avscan.exe 84 PID 308 wrote to memory of 3788 308 avscan.exe 85 PID 308 wrote to memory of 3788 308 avscan.exe 85 PID 308 wrote to memory of 3788 308 avscan.exe 85 PID 5040 wrote to memory of 3164 5040 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe 86 PID 5040 wrote to memory of 3164 5040 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe 86 PID 5040 wrote to memory of 3164 5040 8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe 86 PID 3164 wrote to memory of 4408 3164 cmd.exe 89 PID 3164 wrote to memory of 4408 3164 cmd.exe 89 PID 3164 wrote to memory of 4408 3164 cmd.exe 89 PID 3788 wrote to memory of 4280 3788 cmd.exe 90 PID 3788 wrote to memory of 4280 3788 cmd.exe 90 PID 3788 wrote to memory of 4280 3788 cmd.exe 90 PID 4280 wrote to memory of 2824 4280 hosts.exe 91 PID 4280 wrote to memory of 2824 4280 hosts.exe 91 PID 4280 wrote to memory of 2824 4280 hosts.exe 91 PID 4280 wrote to memory of 3840 4280 hosts.exe 92 PID 4280 wrote to memory of 3840 4280 hosts.exe 92 PID 4280 wrote to memory of 3840 4280 hosts.exe 92 PID 3840 wrote to memory of 3160 3840 cmd.exe 94 PID 3840 wrote to memory of 3160 3840 cmd.exe 94 PID 3840 wrote to memory of 3160 3840 cmd.exe 94 PID 3788 wrote to memory of 844 3788 cmd.exe 96 PID 3788 wrote to memory of 844 3788 cmd.exe 96 PID 3788 wrote to memory of 844 3788 cmd.exe 96 PID 3840 wrote to memory of 1680 3840 cmd.exe 98 PID 3840 wrote to memory of 1680 3840 cmd.exe 98 PID 3840 wrote to memory of 1680 3840 cmd.exe 98 PID 3164 wrote to memory of 4832 3164 cmd.exe 97 PID 3164 wrote to memory of 4832 3164 cmd.exe 97 PID 3164 wrote to memory of 4832 3164 cmd.exe 97 PID 308 wrote to memory of 1280 308 avscan.exe 99 PID 308 wrote to memory of 1280 308 avscan.exe 99 PID 308 wrote to memory of 1280 308 avscan.exe 99 PID 4280 wrote to memory of 2224 4280 hosts.exe 101 PID 4280 wrote to memory of 2224 4280 hosts.exe 101 PID 4280 wrote to memory of 2224 4280 hosts.exe 101 PID 4280 wrote to memory of 3340 4280 hosts.exe 106 PID 4280 wrote to memory of 3340 4280 hosts.exe 106 PID 4280 wrote to memory of 3340 4280 hosts.exe 106 PID 308 wrote to memory of 3560 308 avscan.exe 105 PID 308 wrote to memory of 3560 308 avscan.exe 105 PID 308 wrote to memory of 3560 308 avscan.exe 105 PID 4280 wrote to memory of 3472 4280 hosts.exe 111 PID 4280 wrote to memory of 3472 4280 hosts.exe 111 PID 4280 wrote to memory of 3472 4280 hosts.exe 111 PID 308 wrote to memory of 1356 308 avscan.exe 110 PID 308 wrote to memory of 1356 308 avscan.exe 110 PID 308 wrote to memory of 1356 308 avscan.exe 110 PID 4280 wrote to memory of 3868 4280 hosts.exe 116 PID 4280 wrote to memory of 3868 4280 hosts.exe 116 PID 4280 wrote to memory of 3868 4280 hosts.exe 116 PID 308 wrote to memory of 480 308 avscan.exe 115 PID 308 wrote to memory of 480 308 avscan.exe 115 PID 308 wrote to memory of 480 308 avscan.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe"C:\Users\Admin\AppData\Local\Temp\8ab298f486811beabfc16f34829598ec701d27d42f22a499b4186d7402153219.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3160
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
PID:1680
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:2224
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:3340
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:3472
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:3868
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:844
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1280
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:3560
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1356
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:4832
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5c66f4ef3f6bf5529ffa24429e9d65737
SHA15450efe183955d2b32e5a89c0fabf46edfc41133
SHA256f7338cbadfd4a40c360cb82fc4f46ac871f223044e48274c566950a8ad8386b5
SHA51234ae3d284e393cebb67f8e4cf9aa34fb91f87407f77950fb155bce1607c44c237c5ef5e60ac77e552bcc8d18874f7deeff099a616bbea4e02335a9ddb1bcb281
-
Filesize
348KB
MD5c66f4ef3f6bf5529ffa24429e9d65737
SHA15450efe183955d2b32e5a89c0fabf46edfc41133
SHA256f7338cbadfd4a40c360cb82fc4f46ac871f223044e48274c566950a8ad8386b5
SHA51234ae3d284e393cebb67f8e4cf9aa34fb91f87407f77950fb155bce1607c44c237c5ef5e60ac77e552bcc8d18874f7deeff099a616bbea4e02335a9ddb1bcb281
-
Filesize
348KB
MD5c66f4ef3f6bf5529ffa24429e9d65737
SHA15450efe183955d2b32e5a89c0fabf46edfc41133
SHA256f7338cbadfd4a40c360cb82fc4f46ac871f223044e48274c566950a8ad8386b5
SHA51234ae3d284e393cebb67f8e4cf9aa34fb91f87407f77950fb155bce1607c44c237c5ef5e60ac77e552bcc8d18874f7deeff099a616bbea4e02335a9ddb1bcb281
-
Filesize
348KB
MD5c66f4ef3f6bf5529ffa24429e9d65737
SHA15450efe183955d2b32e5a89c0fabf46edfc41133
SHA256f7338cbadfd4a40c360cb82fc4f46ac871f223044e48274c566950a8ad8386b5
SHA51234ae3d284e393cebb67f8e4cf9aa34fb91f87407f77950fb155bce1607c44c237c5ef5e60ac77e552bcc8d18874f7deeff099a616bbea4e02335a9ddb1bcb281
-
Filesize
195B
MD55f95187376125e68821db0d42b6e0a01
SHA124db87fd4f2e71873b08b285de3f584ed606bd7d
SHA256f77ac566569872134310abf6755aaf712f96ddf7e544cd73fa03555415676777
SHA512cecd0b1ab60ed7471870c6b5bb90d65b2e833d535f9a91aea96aae50a86e17fb15f23cd49da74d3ab6d50e54de75e02d9727d9b1d9ec2c32e3b80a4183c0a31c
-
Filesize
348KB
MD5ba36fdca977789a794a60b38839a7140
SHA12ab3d338c21cd4c3fc9c1eee569f635dd980c0a5
SHA25664a4282e47a78abe324601456e36d866103057963c73342f243c7462655d3271
SHA512e582332dc39deef9240bf1a8929270b771402824a9d849dd28c2fbcfd2b403abce2cdce34bdb670a894c227c0d6ccc4a4a3f8863c5388df767e1234fbd3bd917
-
Filesize
348KB
MD5ba36fdca977789a794a60b38839a7140
SHA12ab3d338c21cd4c3fc9c1eee569f635dd980c0a5
SHA25664a4282e47a78abe324601456e36d866103057963c73342f243c7462655d3271
SHA512e582332dc39deef9240bf1a8929270b771402824a9d849dd28c2fbcfd2b403abce2cdce34bdb670a894c227c0d6ccc4a4a3f8863c5388df767e1234fbd3bd917
-
Filesize
348KB
MD5ba36fdca977789a794a60b38839a7140
SHA12ab3d338c21cd4c3fc9c1eee569f635dd980c0a5
SHA25664a4282e47a78abe324601456e36d866103057963c73342f243c7462655d3271
SHA512e582332dc39deef9240bf1a8929270b771402824a9d849dd28c2fbcfd2b403abce2cdce34bdb670a894c227c0d6ccc4a4a3f8863c5388df767e1234fbd3bd917
-
Filesize
348KB
MD5ba36fdca977789a794a60b38839a7140
SHA12ab3d338c21cd4c3fc9c1eee569f635dd980c0a5
SHA25664a4282e47a78abe324601456e36d866103057963c73342f243c7462655d3271
SHA512e582332dc39deef9240bf1a8929270b771402824a9d849dd28c2fbcfd2b403abce2cdce34bdb670a894c227c0d6ccc4a4a3f8863c5388df767e1234fbd3bd917
-
Filesize
348KB
MD5ba36fdca977789a794a60b38839a7140
SHA12ab3d338c21cd4c3fc9c1eee569f635dd980c0a5
SHA25664a4282e47a78abe324601456e36d866103057963c73342f243c7462655d3271
SHA512e582332dc39deef9240bf1a8929270b771402824a9d849dd28c2fbcfd2b403abce2cdce34bdb670a894c227c0d6ccc4a4a3f8863c5388df767e1234fbd3bd917
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b