Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1799s -
max time network
1500s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/03/2024, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi
Resource
win11-20240221-en
General
-
Target
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi
-
Size
2.0MB
-
MD5
ebae9b70769458cf723022ec89b95c32
-
SHA1
3d3135b87fe274988b86f50d24bde82cc08556bf
-
SHA256
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0
-
SHA512
3550c281fc8dcd8078caf6c0cef847280d6ec78216b0e018b01942e82c79499538f3a0553409e3c716edf584ff5c359ce991440bab14d4794f6ae3393788a102
-
SSDEEP
49152:J3osY5A6b4ms+4UhbrMizYiRpb2mN3rm999OhjY:hY5A6bDhbrfzYiRNdm+
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\identity_helper.cmd msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\J9X0K3F5 = "C:\\ProgramData\\Druh5z1l.UsU\\Druh5z1l.UsU.exe" Druh5z1l.UsU.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 2752 MsiExec.exe 4 2752 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2752 MsiExec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Installer\e575285.msi msiexec.exe File created C:\Windows\Installer\SourceHash{95EF7FD4-ED9D-4B37-867E-EBECFD556EFB} msiexec.exe File created C:\Windows\SystemTemp\~DF7552B4DC160AA40D.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFD61EE6D5693013CF.TMP msiexec.exe File opened for modification C:\Windows\Installer\e575285.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI52D3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI53ED.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFEB16A02BF1950314.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI547B.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF5C90BE8DA26241EF.TMP msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 4756 Druh5z1l.UsU.exe -
Loads dropped DLL 6 IoCs
pid Process 2752 MsiExec.exe 2752 MsiExec.exe 2752 MsiExec.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cfb66584abbe87e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cfb665840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cfb66584000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcfb66584000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cfb6658400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3552 msiexec.exe 3552 msiexec.exe 2752 MsiExec.exe 2752 MsiExec.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe 4756 Druh5z1l.UsU.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeShutdownPrivilege 4620 msiexec.exe Token: SeIncreaseQuotaPrivilege 4620 msiexec.exe Token: SeSecurityPrivilege 3552 msiexec.exe Token: SeCreateTokenPrivilege 4620 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4620 msiexec.exe Token: SeLockMemoryPrivilege 4620 msiexec.exe Token: SeIncreaseQuotaPrivilege 4620 msiexec.exe Token: SeMachineAccountPrivilege 4620 msiexec.exe Token: SeTcbPrivilege 4620 msiexec.exe Token: SeSecurityPrivilege 4620 msiexec.exe Token: SeTakeOwnershipPrivilege 4620 msiexec.exe Token: SeLoadDriverPrivilege 4620 msiexec.exe Token: SeSystemProfilePrivilege 4620 msiexec.exe Token: SeSystemtimePrivilege 4620 msiexec.exe Token: SeProfSingleProcessPrivilege 4620 msiexec.exe Token: SeIncBasePriorityPrivilege 4620 msiexec.exe Token: SeCreatePagefilePrivilege 4620 msiexec.exe Token: SeCreatePermanentPrivilege 4620 msiexec.exe Token: SeBackupPrivilege 4620 msiexec.exe Token: SeRestorePrivilege 4620 msiexec.exe Token: SeShutdownPrivilege 4620 msiexec.exe Token: SeDebugPrivilege 4620 msiexec.exe Token: SeAuditPrivilege 4620 msiexec.exe Token: SeSystemEnvironmentPrivilege 4620 msiexec.exe Token: SeChangeNotifyPrivilege 4620 msiexec.exe Token: SeRemoteShutdownPrivilege 4620 msiexec.exe Token: SeUndockPrivilege 4620 msiexec.exe Token: SeSyncAgentPrivilege 4620 msiexec.exe Token: SeEnableDelegationPrivilege 4620 msiexec.exe Token: SeManageVolumePrivilege 4620 msiexec.exe Token: SeImpersonatePrivilege 4620 msiexec.exe Token: SeCreateGlobalPrivilege 4620 msiexec.exe Token: SeBackupPrivilege 4356 vssvc.exe Token: SeRestorePrivilege 4356 vssvc.exe Token: SeAuditPrivilege 4356 vssvc.exe Token: SeBackupPrivilege 3552 msiexec.exe Token: SeRestorePrivilege 3552 msiexec.exe Token: SeRestorePrivilege 3552 msiexec.exe Token: SeTakeOwnershipPrivilege 3552 msiexec.exe Token: SeRestorePrivilege 3552 msiexec.exe Token: SeTakeOwnershipPrivilege 3552 msiexec.exe Token: SeRestorePrivilege 3552 msiexec.exe Token: SeTakeOwnershipPrivilege 3552 msiexec.exe Token: SeRestorePrivilege 3552 msiexec.exe Token: SeTakeOwnershipPrivilege 3552 msiexec.exe Token: SeBackupPrivilege 2392 srtasks.exe Token: SeRestorePrivilege 2392 srtasks.exe Token: SeSecurityPrivilege 2392 srtasks.exe Token: SeTakeOwnershipPrivilege 2392 srtasks.exe Token: SeBackupPrivilege 2392 srtasks.exe Token: SeRestorePrivilege 2392 srtasks.exe Token: SeSecurityPrivilege 2392 srtasks.exe Token: SeTakeOwnershipPrivilege 2392 srtasks.exe Token: SeRestorePrivilege 3552 msiexec.exe Token: SeTakeOwnershipPrivilege 3552 msiexec.exe Token: SeRestorePrivilege 3552 msiexec.exe Token: SeTakeOwnershipPrivilege 3552 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4620 msiexec.exe 4620 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3552 wrote to memory of 2392 3552 msiexec.exe 86 PID 3552 wrote to memory of 2392 3552 msiexec.exe 86 PID 3552 wrote to memory of 2752 3552 msiexec.exe 88 PID 3552 wrote to memory of 2752 3552 msiexec.exe 88 PID 3552 wrote to memory of 2752 3552 msiexec.exe 88 PID 2752 wrote to memory of 4756 2752 MsiExec.exe 89 PID 2752 wrote to memory of 4756 2752 MsiExec.exe 89 PID 2752 wrote to memory of 4756 2752 MsiExec.exe 89 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4620
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 84CD298F8C1F82BD67342631C10F79D02⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\ProgramData\Druh5z1l.UsU\Druh5z1l.UsU.exe"C:\ProgramData\Druh5z1l.UsU\Druh5z1l.UsU.exe"3⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4756
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bf5c7d41ab446900a19e87c25398809f
SHA17ff214d800c637bd94106697096be8eda62de1d3
SHA2560d0592c1eaac41a06c8566662331e010befb6dbbeb7bc57174c9f3d55e76efae
SHA51233e2f04af2550583f19b340ca6ca65d8d8e74e9ea4eee17c88a3175dee31fa42edc1ed90546830f11918a42f519c048c72660191765f7ef56568de6dc86f16ca
-
Filesize
97KB
MD5a61faca7411cebd947b4f1e00dba6d08
SHA1fc1b4587990a792c32b113451197354f942b82d5
SHA256db57fbf86c8306809673be5850779b2dcda94bd8c36047840e27175cd30c257a
SHA512463e7da3b042adfcc4fc7bd5a8bf8df44375ec8adc4320dbfffeeb98e6a33c2337991d8e644eabb98c5a87a1e13a3636e9f03e4cad2b72ef23d7c0f5676bcc2b
-
Filesize
451B
MD5e0a01cf03a7168462c3b75993726ab3a
SHA1a8dd5cf248fd5b217180de9c845c85e12b83bdfc
SHA2560ea8e727a9dd9cea240167652a33135503b429a140bbdec7511b80300b5b45c6
SHA51222abe63670459f5090e0d4d09863d532445db7d436de32b6db322e5b032c959e33ce3ed3f71091a70cf781338b39cfaa27e6cda572dda95c6114b81feaae0e65
-
Filesize
88KB
MD517f01742d17d9ffa7d8b3500978fc842
SHA12da2ff031da84ac8c2d063a964450642e849144d
SHA25670dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0
-
Filesize
1.2MB
MD576eade2701004cb0b8b46828e0b87103
SHA16f65e940b4f7bf0bc82cda6143ac5980c4d4a261
SHA256440c44c95cb45c13179b69496177f83bc4b45f5130761f614f6b549d95d63180
SHA5126a82cf42f968d49125e9d0c09a47d43cb45e07184375052d3299e05320b1097c121042b64b1857250b12740458ec999f9edd36b41a7b9a4c34bf0569a3236a67
-
Filesize
979KB
MD588b3bd5a8cbff497d69b520c976778d3
SHA1f3aef785f9a4e89589a99ba6ebc99f9fb2fddf90
SHA256f4fd5592dfbc638faeaf7c5201dcbcb395e1f0cabb79c753d4024cf04340abd7
SHA512872fc635a49cf5ed61aca51410c5d22aa5dd494c0ddd42e9e8b4adff8f23418852316378b36abedac8a7519d8e9a7575894cc528460c927ac8ff850f224528df
-
Filesize
1.1MB
MD5d5a600324f15d7b7ec36e293b1abb16c
SHA189564411aa6838eeaff6e6e7577d54541a549c06
SHA2562412d48ccb7b0a99808ddddf4aa7cf07a7dd6bf1e78df4999ae7453ab90a2f95
SHA512e5c30de373a089039d7728220926d549071d0c29d029d5dd28455088089410ca98bd6953967e2329ba47c86a3f8213a89e45458f8a1255a8d13ab91ec5833692
-
Filesize
21KB
MD5a60fd38203d1ee422bdc260919c6fc7f
SHA19c45ff5dcd469b10ecc7c413943442fb57f7584b
SHA2565d7c06c978794a139eec9f46488c50de8eb6be458967e5c1815617cdc9138f2f
SHA512e60c0b09cc07552c8695d1e2e96c08894097544b9097b5a2887383f9ebdadc193ef33b566dea97c02f1fa4fdd21b381789f87392726f4faeff9f565121addeae
-
Filesize
1.3MB
MD58ae4a2d24f53985e238309b0fa081449
SHA142bde0530c733c8a5d162249c18388a404c7e6df
SHA2562de3942e7690adafe16c6ae5692d9793466d50a4a41ccc66acdaf51573584357
SHA512124f3242539d0bfbfae6e8ebcfc409bbc0f55e88756813ab858ad807a8aec3383ead7e30559a76973cf008dbc59a594b8712a56dcbc5716eb013bb125b3d427b
-
Filesize
91KB
MD55c5bef05b6f3806106f8f3ce13401cc1
SHA16005fbe17f6e917ac45317552409d7a60976db14
SHA256f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
SHA51297933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797
-
Filesize
12.8MB
MD5e49d061567f5ec7a23737f13fcbfefae
SHA19c590be8b4e78e5d0d608b6b7cd33844061f9ded
SHA256e84cd239e834ae50bb0e2f058ffde4331e2dc49fe2f652964e440287fe97ef98
SHA51217eba4d4acfbe307a1927e997e28e9710e798a0402a547b81da07025042f3d7475fdc0a47e16d47c69b8109c6b420f89e76884fcd29527040cd507a0b500312d
-
\??\Volume{8465b6cf-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b1b7ff1f-f3a0-4756-997c-fcd3defe89ef}_OnDiskSnapshotProp
Filesize6KB
MD54bc4804238cb286aa636ae71153b7a27
SHA1bc3e01b45b153f429a63117bad01627a7047725b
SHA2560f9338a0326733d2d2c878a2613b723db78bc116d9093e41c44cf02e01f2f782
SHA51276ac92788c6568eadab8fba59ec296beb081a1caab7856bd285e8940889844d64e9462c92222ec5af27db1d7de6f2a86c84056555b45c238d7225a49cee2a8a8