Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2022, 07:22
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
windows7-x64
6 signatures
150 seconds
General
-
Target
file.exe
-
Size
234KB
-
MD5
37dcfb749e32ace6713af440055191cc
-
SHA1
5d7aca9da4a23501472c4c6890ad8b1ee81f84f8
-
SHA256
fd992bf567d01e447568f0297f9f6b4923c0e3250d6a73d158905e505bc76e1a
-
SHA512
1f13820c71c4a988614103ae22419af9b8c59f8ff8ddc5b83cc359a80552ac8aadc626d01e2dbe4871a02be6153ffeeeaa2ea3c71310f4774f0b80e8594120a2
-
SSDEEP
3072:jyn4LSjRE/z/Cr9bneaMzuwZgd9MP4fLU8y5/LU8y5tCAlMB6xuqqb53y1t/M:04LSuL/c9rreNZEfo5oHCApx3E5
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/4436-133-0x0000000002190000-0x0000000002199000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4608 594B.exe 3532 Sppyteaet.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 594B.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1996 Process not Found 2532 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4608 set thread context of 1324 4608 594B.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 1052 1324 WerFault.exe 89 740 4608 WerFault.exe 87 4664 2532 WerFault.exe 93 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 38 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 594B.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 594B.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision 594B.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 594B.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier 594B.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 594B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 594B.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4436 file.exe 4436 file.exe 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1996 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4436 file.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 3532 Sppyteaet.exe Token: SeDebugPrivilege 1324 rundll32.exe Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeDebugPrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found Token: SeShutdownPrivilege 1996 Process not Found Token: SeCreatePagefilePrivilege 1996 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3532 Sppyteaet.exe 2532 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3532 Sppyteaet.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2532 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 4608 1996 Process not Found 87 PID 1996 wrote to memory of 4608 1996 Process not Found 87 PID 1996 wrote to memory of 4608 1996 Process not Found 87 PID 4608 wrote to memory of 3532 4608 594B.exe 88 PID 4608 wrote to memory of 3532 4608 594B.exe 88 PID 4608 wrote to memory of 3532 4608 594B.exe 88 PID 4608 wrote to memory of 1324 4608 594B.exe 89 PID 4608 wrote to memory of 1324 4608 594B.exe 89 PID 4608 wrote to memory of 1324 4608 594B.exe 89 PID 4608 wrote to memory of 1324 4608 594B.exe 89 PID 1996 wrote to memory of 2532 1996 Process not Found 93 PID 1996 wrote to memory of 2532 1996 Process not Found 93 PID 2532 wrote to memory of 5100 2532 chrome.exe 94 PID 2532 wrote to memory of 5100 2532 chrome.exe 94 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3240 2532 chrome.exe 98 PID 2532 wrote to memory of 3364 2532 chrome.exe 99 PID 2532 wrote to memory of 3364 2532 chrome.exe 99 PID 2532 wrote to memory of 520 2532 chrome.exe 101 PID 2532 wrote to memory of 520 2532 chrome.exe 101 PID 2532 wrote to memory of 520 2532 chrome.exe 101 PID 2532 wrote to memory of 520 2532 chrome.exe 101 PID 2532 wrote to memory of 520 2532 chrome.exe 101 PID 2532 wrote to memory of 520 2532 chrome.exe 101 PID 2532 wrote to memory of 520 2532 chrome.exe 101 PID 2532 wrote to memory of 520 2532 chrome.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4436
-
C:\Users\Admin\AppData\Local\Temp\594B.exeC:\Users\Admin\AppData\Local\Temp\594B.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe"C:\Users\Admin\AppData\Local\Temp\Sppyteaet.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3532
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 13163⤵
- Program crash
PID:1052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 11562⤵
- Program crash
PID:740
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1324 -ip 13241⤵PID:2244
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff87dff4f50,0x7ff87dff4f60,0x7ff87dff4f702⤵PID:5100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,13231478413717154477,5592156527530065,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:22⤵PID:3240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,13231478413717154477,5592156527530065,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:82⤵PID:3364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,13231478413717154477,5592156527530065,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 /prefetch:82⤵PID:520
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2532 -s 36002⤵
- Program crash
PID:4664
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4608 -ip 46081⤵PID:1908
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1532
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 532 -p 2532 -ip 25321⤵PID:3320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD52d05d40bf8b8f7a5fef6ee03635ee661
SHA1a2bb2e61aad5f942ab02e1c8a1799514dab87f67
SHA256cb5580ed90a07c4c082f91679745742de742b1846d25b52e2b7d5791df4eddb7
SHA512e3955e705f7d39eb49019cf4815cbb5f4030c33404b546e5f381f17fe34479d34d46c2634226bb1420fb9fe0359f93ddd33837a1cc2fb6c9e91b88eef8f6689d
-
Filesize
5.5MB
MD52d05d40bf8b8f7a5fef6ee03635ee661
SHA1a2bb2e61aad5f942ab02e1c8a1799514dab87f67
SHA256cb5580ed90a07c4c082f91679745742de742b1846d25b52e2b7d5791df4eddb7
SHA512e3955e705f7d39eb49019cf4815cbb5f4030c33404b546e5f381f17fe34479d34d46c2634226bb1420fb9fe0359f93ddd33837a1cc2fb6c9e91b88eef8f6689d
-
Filesize
1.3MB
MD5ff6a5732355485b459248f586c2b6945
SHA107da3f03ef18e2eaddfceb050b68e93fd533f7a3
SHA256366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
SHA512379fd03ebec85a9b15caf0aa8ba5a43c76199391ba3a2b29d20426501294e66d8f07c219e05355b47702e5a836d1a89015533f72da6bbe2ded57ee5d24056749
-
Filesize
1.3MB
MD5ff6a5732355485b459248f586c2b6945
SHA107da3f03ef18e2eaddfceb050b68e93fd533f7a3
SHA256366ee3319c995b995fcfcc3f2228a18a09d0461a94964b4b4ad9a89dcbf669f4
SHA512379fd03ebec85a9b15caf0aa8ba5a43c76199391ba3a2b29d20426501294e66d8f07c219e05355b47702e5a836d1a89015533f72da6bbe2ded57ee5d24056749