Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
125s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
16/02/2023, 02:13
Static task
static1
General
-
Target
3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe
-
Size
724KB
-
MD5
a70a7a3368d23144e2ba2cd1c813d496
-
SHA1
df27cf829e407e8fa0a0cc5b65e66e5e93964841
-
SHA256
3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e
-
SHA512
ece447235892960c831e8ba0c58ac99462a3d75bc707e11fa470efed75cf2287ef955640aa181eeb36a0da05c2f4e6885f727a14967dbfed1cfbff463db2b71e
-
SSDEEP
12288:oMrey9081MqdOoNlZKAYxGTT4hqGjFJ43BhcNNnRJ6BnmU83YPH:WyjqqdO2KAHTTevjFJ4LcfU2kH
Malware Config
Extracted
redline
fukia
193.233.20.13:4136
-
auth_value
e5783636fbd9e4f0cf9a017bce02e67e
Extracted
redline
ruma
193.233.20.13:4136
-
auth_value
647d00dfaba082a4a30f383bca5d1a2a
Extracted
amadey
3.66
193.233.20.4/t6r48nSa/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iOv72EM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iOv72EM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iOv72EM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iOv72EM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iOv72EM.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/memory/3836-421-0x0000000002300000-0x0000000002346000-memory.dmp family_redline behavioral1/memory/3836-429-0x0000000004B10000-0x0000000004B54000-memory.dmp family_redline -
Executes dropped EXE 9 IoCs
pid Process 3296 sgm71XV.exe 4952 sGe90rY.exe 4284 iOv72EM.exe 1796 kXG90Jz.exe 3836 lWi20Rp.exe 652 nyX65em.exe 1920 mnolyk.exe 4048 mnolyk.exe 1600 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 532 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iOv72EM.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" sGe90rY.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sgm71XV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sgm71XV.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce sGe90rY.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3688 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4284 iOv72EM.exe 4284 iOv72EM.exe 1796 kXG90Jz.exe 1796 kXG90Jz.exe 3836 lWi20Rp.exe 3836 lWi20Rp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4284 iOv72EM.exe Token: SeDebugPrivilege 1796 kXG90Jz.exe Token: SeDebugPrivilege 3836 lWi20Rp.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2688 wrote to memory of 3296 2688 3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe 66 PID 2688 wrote to memory of 3296 2688 3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe 66 PID 2688 wrote to memory of 3296 2688 3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe 66 PID 3296 wrote to memory of 4952 3296 sgm71XV.exe 67 PID 3296 wrote to memory of 4952 3296 sgm71XV.exe 67 PID 3296 wrote to memory of 4952 3296 sgm71XV.exe 67 PID 4952 wrote to memory of 4284 4952 sGe90rY.exe 68 PID 4952 wrote to memory of 4284 4952 sGe90rY.exe 68 PID 4952 wrote to memory of 1796 4952 sGe90rY.exe 69 PID 4952 wrote to memory of 1796 4952 sGe90rY.exe 69 PID 4952 wrote to memory of 1796 4952 sGe90rY.exe 69 PID 3296 wrote to memory of 3836 3296 sgm71XV.exe 71 PID 3296 wrote to memory of 3836 3296 sgm71XV.exe 71 PID 3296 wrote to memory of 3836 3296 sgm71XV.exe 71 PID 2688 wrote to memory of 652 2688 3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe 72 PID 2688 wrote to memory of 652 2688 3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe 72 PID 2688 wrote to memory of 652 2688 3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe 72 PID 652 wrote to memory of 1920 652 nyX65em.exe 73 PID 652 wrote to memory of 1920 652 nyX65em.exe 73 PID 652 wrote to memory of 1920 652 nyX65em.exe 73 PID 1920 wrote to memory of 3688 1920 mnolyk.exe 74 PID 1920 wrote to memory of 3688 1920 mnolyk.exe 74 PID 1920 wrote to memory of 3688 1920 mnolyk.exe 74 PID 1920 wrote to memory of 1068 1920 mnolyk.exe 75 PID 1920 wrote to memory of 1068 1920 mnolyk.exe 75 PID 1920 wrote to memory of 1068 1920 mnolyk.exe 75 PID 1068 wrote to memory of 4892 1068 cmd.exe 78 PID 1068 wrote to memory of 4892 1068 cmd.exe 78 PID 1068 wrote to memory of 4892 1068 cmd.exe 78 PID 1068 wrote to memory of 2256 1068 cmd.exe 79 PID 1068 wrote to memory of 2256 1068 cmd.exe 79 PID 1068 wrote to memory of 2256 1068 cmd.exe 79 PID 1068 wrote to memory of 4464 1068 cmd.exe 80 PID 1068 wrote to memory of 4464 1068 cmd.exe 80 PID 1068 wrote to memory of 4464 1068 cmd.exe 80 PID 1068 wrote to memory of 4708 1068 cmd.exe 81 PID 1068 wrote to memory of 4708 1068 cmd.exe 81 PID 1068 wrote to memory of 4708 1068 cmd.exe 81 PID 1068 wrote to memory of 4632 1068 cmd.exe 82 PID 1068 wrote to memory of 4632 1068 cmd.exe 82 PID 1068 wrote to memory of 4632 1068 cmd.exe 82 PID 1068 wrote to memory of 380 1068 cmd.exe 83 PID 1068 wrote to memory of 380 1068 cmd.exe 83 PID 1068 wrote to memory of 380 1068 cmd.exe 83 PID 1920 wrote to memory of 532 1920 mnolyk.exe 85 PID 1920 wrote to memory of 532 1920 mnolyk.exe 85 PID 1920 wrote to memory of 532 1920 mnolyk.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe"C:\Users\Admin\AppData\Local\Temp\3cb7b21368db29f3eb2dca7288aa62b0ac88e0bbf8363e495bffa0453dbc9e8e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sgm71XV.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sgm71XV.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sGe90rY.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sGe90rY.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iOv72EM.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iOv72EM.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kXG90Jz.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kXG90Jz.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lWi20Rp.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lWi20Rp.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyX65em.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nyX65em.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:3688
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4892
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:2256
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:4464
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4708
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵PID:4632
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵PID:380
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:532
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:4048
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:1600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
236KB
MD5812b8d76e0cf1e825bbfcf787ebdd902
SHA19f981c60bb4195657340519e13f1422e5cc8967b
SHA2566513d8b8a66e7fe3a4d82164f24b61757dae9bc11db25517edc8bf0d00502f34
SHA5129a2b4081cdc46bcbede11a1933515d73577941d8878ac912f2ab5a699bcf3d0700a99f00791d95fd8e9a7e28e50e5ec96d47214b99eb597f92cf5be089f57bc7
-
Filesize
538KB
MD5e49ed127f5bc90532d2d5cf02c31409d
SHA1d7495fefe16630016ab9ee966efce8231a71b5f7
SHA2563188bfe5c4ed92c4ce30fb64fdbe610562e8783b5ac112dc1d1dea277d788f76
SHA512bd3f87f86882f49ea2d148224aeb305d47c1ade80be7229f9d395163608deb40d7c28ea50376732e9c57d66c29ec7e6f8a6caee86e02b83706b864d53c39157d
-
Filesize
538KB
MD5e49ed127f5bc90532d2d5cf02c31409d
SHA1d7495fefe16630016ab9ee966efce8231a71b5f7
SHA2563188bfe5c4ed92c4ce30fb64fdbe610562e8783b5ac112dc1d1dea277d788f76
SHA512bd3f87f86882f49ea2d148224aeb305d47c1ade80be7229f9d395163608deb40d7c28ea50376732e9c57d66c29ec7e6f8a6caee86e02b83706b864d53c39157d
-
Filesize
314KB
MD5272adf3486ddc5e0087dfeb690aec96b
SHA118e25adb4778d729c086735d737a565505c6e621
SHA256bc544e22eb6c48123c45f3dba5d99dcad468d09c9e4da9aed151d6fd58dbf41a
SHA51278312924ec25141ef9b9d9119c8549dbdf8151afd8da974afadf11d5112cea15e19676123308eff0eb84594ec9274036b7ae8e6d1ba044479e8acabbccf345f9
-
Filesize
314KB
MD5272adf3486ddc5e0087dfeb690aec96b
SHA118e25adb4778d729c086735d737a565505c6e621
SHA256bc544e22eb6c48123c45f3dba5d99dcad468d09c9e4da9aed151d6fd58dbf41a
SHA51278312924ec25141ef9b9d9119c8549dbdf8151afd8da974afadf11d5112cea15e19676123308eff0eb84594ec9274036b7ae8e6d1ba044479e8acabbccf345f9
-
Filesize
202KB
MD5c7ff0ac932dc0072af811ca9f6532ce8
SHA1e8133c92cda2f1b0c810df5ecd1bddd63befc5f9
SHA256c3a8cee779df178fe66cc7ea09432f58ba30e5100326fd9267e5f9f849721431
SHA5121e82f898df2a2bd276e5b3ce54e9233743501d9f29daec2cbdb4722b691ebfd34971abc21199146d0d69f20c670e2aab3de2976a659bb0af0f90b6ed8adbca13
-
Filesize
202KB
MD5c7ff0ac932dc0072af811ca9f6532ce8
SHA1e8133c92cda2f1b0c810df5ecd1bddd63befc5f9
SHA256c3a8cee779df178fe66cc7ea09432f58ba30e5100326fd9267e5f9f849721431
SHA5121e82f898df2a2bd276e5b3ce54e9233743501d9f29daec2cbdb4722b691ebfd34971abc21199146d0d69f20c670e2aab3de2976a659bb0af0f90b6ed8adbca13
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
175KB
MD5a5f5c5d6291c7ae9e1d1b7ed1e551490
SHA13d06413341893b838549939e15f8f1eec423d71a
SHA2561a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e
SHA512d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2
-
Filesize
89KB
MD54cf63b9a3e4bc0910af4d8baa5939238
SHA1361eea9bb65071ebf09d9598fe7a482e487b919f
SHA256dd82c0954f9047eb2a601aefa58eec94c79f71cab58f980a663ae3b8a54a63f9
SHA512177f101609bbdb7a3e423ecb2914b21d3fb91bf1e6267c4a30313b8ae0b5bc49659fc6ce1f1715649b8ee774022a9b045d886f2ba658ef065eefceedeaf7ee38
-
Filesize
89KB
MD54cf63b9a3e4bc0910af4d8baa5939238
SHA1361eea9bb65071ebf09d9598fe7a482e487b919f
SHA256dd82c0954f9047eb2a601aefa58eec94c79f71cab58f980a663ae3b8a54a63f9
SHA512177f101609bbdb7a3e423ecb2914b21d3fb91bf1e6267c4a30313b8ae0b5bc49659fc6ce1f1715649b8ee774022a9b045d886f2ba658ef065eefceedeaf7ee38