Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240730-en
  • resource tags

    arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/08/2024, 09:11

Errors

Reason
Machine shutdown

General

  • Target

    https://github.com/Dfmaaa/MEMZ-virus

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Dfmaaa/MEMZ-virus
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffad6a73cb8,0x7ffad6a73cc8,0x7ffad6a73cd8
      2⤵
        PID:4040
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
        2⤵
          PID:940
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3964
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
          2⤵
            PID:1820
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
            2⤵
              PID:4068
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
              2⤵
                PID:1448
              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4252
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1596
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
                2⤵
                  PID:1088
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17418434235253466919,16901661136481495338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
                  2⤵
                  • NTFS ADS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1588
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:3592
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:244
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:4988
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                      1⤵
                        PID:3740
                      • C:\Windows\System32\oobe\UserOOBEBroker.exe
                        C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
                        1⤵
                        • Drops file in Windows directory
                        PID:5008
                      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
                        C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
                        1⤵
                        • System Location Discovery: System Language Discovery
                        PID:4564
                      • C:\Windows\system32\OpenWith.exe
                        C:\Windows\system32\OpenWith.exe -Embedding
                        1⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:3032
                      • C:\Windows\system32\OpenWith.exe
                        C:\Windows\system32\OpenWith.exe -Embedding
                        1⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:1636
                      • C:\Windows\system32\OpenWith.exe
                        C:\Windows\system32\OpenWith.exe -Embedding
                        1⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:3124
                      • C:\Windows\system32\OpenWith.exe
                        C:\Windows\system32\OpenWith.exe -Embedding
                        1⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:876
                      • C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
                        "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe"
                        1⤵
                        • System Location Discovery: System Language Discovery
                        PID:1436
                      • C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
                        "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe"
                        1⤵
                        • System Location Discovery: System Language Discovery
                        PID:3068
                        • C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
                          "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of SetWindowsHookEx
                          PID:4920
                        • C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
                          "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
                          2⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:4392
                        • C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
                          "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
                          2⤵
                          • Suspicious use of SetWindowsHookEx
                          PID:3160
                        • C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
                          "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
                          2⤵
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SetWindowsHookEx
                          PID:2496
                        • C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
                          "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /watchdog
                          2⤵
                            PID:3060
                          • C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe
                            "C:\Users\Admin\Downloads\MEMZ-virus-main\MEMZ-virus-main\MEMZ.exe" /main
                            2⤵
                            • Writes to the Master Boot Record (MBR)
                            • System Location Discovery: System Language Discovery
                            PID:4424
                            • C:\Windows\SysWOW64\notepad.exe
                              "C:\Windows\System32\notepad.exe" \note.txt
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:2916

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          152B

                          MD5

                          0f7c8f29e855c33ef4092cdfc2ec0a4c

                          SHA1

                          db6eb184137c0480fc73d6803e9b71a20f0b2066

                          SHA256

                          b01c3d129f1a499fcade8496bd824bda062a0390bc4d04ccfa77696112c89d58

                          SHA512

                          1025c240c57325d5bc394f4c593b61a951f35448868f179e8fcaefa00f60e75fa6ef5bc84e768d2526831a4a6070e67e78b159b88d72ca789fb65f55535d2f60

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          152B

                          MD5

                          6d3f8df50f4e8800dcbd5fd773aa6da8

                          SHA1

                          bb98e6a9da020326e7fbde6fe37e330e90d1d546

                          SHA256

                          036b439d9115e20ed1f57085fc45f342d4e487718b07fbae2036ff4c2dcf6a9f

                          SHA512

                          f6e0d0c564a1adb05457e9179b7b4e82e0449f7dabd08fc2daa4eb11720680d4b2339ca06fd9f6cfabe38714c64bdb95a9c6d4885b70115870fb57d08424d733

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                          Filesize

                          2KB

                          MD5

                          98b41f063cd0d5797c008b31c7782fb5

                          SHA1

                          2ab6ccd643ecf6e8f9817d57be0dfbb833e6faf3

                          SHA256

                          c0c9a6d3b4467fcda8b8455ca1003bd043165266256ccc23cdbe46a056638b21

                          SHA512

                          e80758dc35cc6bc2802d303b9031c5baa06d8799e59746fa7785d8fbaa83bca4d3c292a8167b7094afdb7c88a51b5a887f72c8f0b38b8565effa5bae1d92ad8a

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                          Filesize

                          111B

                          MD5

                          285252a2f6327d41eab203dc2f402c67

                          SHA1

                          acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                          SHA256

                          5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                          SHA512

                          11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                          Filesize

                          573B

                          MD5

                          37baf21f6884d62dd3fae3bcac0e3f54

                          SHA1

                          86387f81e0e639f4b89ac148a2611dbe17c692e5

                          SHA256

                          fd6b196dedb818f06d7e045bc0ca39921765ba16deeb416261c8605de41aa1be

                          SHA512

                          13d36ff793b191e5036fad9a998d653eba70f27900f205c8eb1e2b336837f6a6b9977e0129b0645844b6d40a08883ccbc71b132e22f5577c5db8b44ad4f74461

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          5KB

                          MD5

                          c081eccfed8df8377cf5e2acf03f1ea4

                          SHA1

                          5cf4cd51d19754c254ae7e07c6a458ea4b7c13e0

                          SHA256

                          552f23f202a69ee85caa4541e3e3932a4be7d19e9eca474e126af27f5290c48b

                          SHA512

                          51b947b2ba82031f83c4e60bb1714b36538e8207f793e170c2a38f3f98fc4a186f8e71f585949c323dede677599d1a3a52f721ec2c84efc0c70a67dea57c85a5

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          6KB

                          MD5

                          80994b31fb3b0735284bad7e7d339584

                          SHA1

                          4db461fee847afc58e9364bda6851e4e385862b1

                          SHA256

                          34b72b0a4d4880c0ebf3352eb4058008f5420a6583247752603a11cb963ceb5e

                          SHA512

                          7061a7deac148d900acac84bae189a643d65a790beb9e3c18e2f6cb37f45c1e4a34a06a72724577379691806b562f37b6bfe96edff5c1e993975acdb9ad41a9d

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          6KB

                          MD5

                          5ed44f723a07a41af8ccf97c1bb68d01

                          SHA1

                          f1ba4dbe31771a7da8f2f2c70c29ca77f7c01b26

                          SHA256

                          3ca3f3f2cf6322dbc3c6049a33a90052b42e1eb3db6f9213cc5d4797014e7df0

                          SHA512

                          882a1c3e970bb7130a325c183b76acd5d8b30ed49a5a163a47785d55830c0f2fe3c6410e4f00560d89649174b7d2710ae5d38f784ac0cfd33e9771f5bfce117c

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                          Filesize

                          1KB

                          MD5

                          f1eabde01eadd36a4735ccc28c06a53d

                          SHA1

                          f2946ab7f5a6677e911895ce0aa9e7e25a6c53c3

                          SHA256

                          d790e1c3b23cfe18cbf158d8cbe7e6ed6fa1172093d95505e816d928a3b35d26

                          SHA512

                          9ec8c4d1ddc9c6155c84c69d4b76956e429f0aeef2e382446159a8de29d01a63ce45492818774edb71d11678cb50d6784525b7b94cf5f4258b3168fd6bb35413

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f973.TMP

                          Filesize

                          874B

                          MD5

                          e0b412d098d07ce0e3e16d290f391013

                          SHA1

                          9279439a8df7a089add622160c69eee8f9bb44de

                          SHA256

                          915a6ebcf1a4b5720f6f3486b31f8a6d15691ffc64d17fee2f253b8c83b5fa84

                          SHA512

                          46b0abb6bca5b8a11c6ebdae6874d8f365e6577527689ed132e3c47fa7185e11672b314e3bd0eb6419286bdd3df20a27aba4bc6f1d75bd8a133396eea2970e37

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                          Filesize

                          16B

                          MD5

                          206702161f94c5cd39fadd03f4014d98

                          SHA1

                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                          SHA256

                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                          SHA512

                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                          Filesize

                          16B

                          MD5

                          46295cac801e5d4857d09837238a6394

                          SHA1

                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                          SHA256

                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                          SHA512

                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                          Filesize

                          11KB

                          MD5

                          cb37d15b47a6b008e18202c48a9425e8

                          SHA1

                          5b4f86e486548bb9f982716a5b3df138aac56759

                          SHA256

                          d424b2b3c480fbbe0723b65dcbb14b0804f9db731963f6821a846553940198a0

                          SHA512

                          3a35c46d37024e75e1528a2e5f9f7de6cec7984bcbd08609e0014d0603b641a6314669e307759a944388172e5cb43a5f924b6bafe9e96aab04253d5d4573d0ae

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ad6cfc9b-0b62-42f7-863f-7b2f5809ce6e.tmp

                          Filesize

                          11KB

                          MD5

                          f8e16bddff64542c2122fb2110c9ebe7

                          SHA1

                          02e1c35858444c1df068ef84043b6e2c4b571630

                          SHA256

                          6e013406e1c3dc0288c083b2f234a2b85a395c51879baa8f5d4c71dfde9492b0

                          SHA512

                          928f60af84c19da96bbc8e97c242ce0709be2c787d3f49e8692bdbeabdd4973e44353cf6ed8cd8537d12dcfb623b760e8220d103fa343924e9f8cc580039f086

                        • C:\Users\Admin\Downloads\MEMZ-virus-main.zip

                          Filesize

                          8KB

                          MD5

                          a043dc5c624d091f7c2600dd18b300b7

                          SHA1

                          4682f79dabfc6da05441e2b6d820382ff02b4c58

                          SHA256

                          0acffde0f952b44d500cf2689d6c9ab87e66ac7fa29a51f3c3e36a43ea5e694a

                          SHA512

                          ee4f691a6c7b6c047bca49723b65e5980a8f83cbbc129ddfd578b855430b78acf3d0e461238739cd64c8a5c9071fe132c10da3ac28085fc978b6a19ee1ca3313

                        • C:\Users\Admin\Downloads\MEMZ-virus-main.zip:Zone.Identifier

                          Filesize

                          151B

                          MD5

                          c0aaf6dc437b95d10bb053831c3cba7c

                          SHA1

                          f3b57f1b2dfc8a4ca0f366b7d1051d68f59110d7

                          SHA256

                          5d3db06bf246f33b99bfabbac16d6142e6bac695092228d5367b3cc03959653a

                          SHA512

                          9effe9ccb34ac61508648e32efb4f7fe8dd5ce195259f60707c720ac4cb9ebee0f5e944bda0ebd804eb441a8a32cf56336677389a9ad59a8c1d4402c164f2ff0

                        • C:\note.txt

                          Filesize

                          218B

                          MD5

                          afa6955439b8d516721231029fb9ca1b

                          SHA1

                          087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

                          SHA256

                          8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

                          SHA512

                          5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf