Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 05:44
Static task
static1
Behavioral task
behavioral1
Sample
Worm.Win32.Ludbaruma.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Worm.Win32.Ludbaruma.exe
Resource
win10v2004-20240802-en
General
-
Target
Worm.Win32.Ludbaruma.exe
-
Size
45KB
-
MD5
db9033e7597d4b6374687f905b6c7a90
-
SHA1
56f3230e7e082e18bcb6f029a095f3bab0a643f3
-
SHA256
ca190b44f75e56c761bdac39808ba488b84d948ff761d21e7ebe66a430bc9727
-
SHA512
92767b84372e6ebfb3190f868888a816f58a230fc5c6d180be37e316219591367fcc8b0061597fb25e0b3c5e2fe43305f3b7310f45bcd3f8e30ad7e4667f8eb7
-
SSDEEP
768:/mFQj8rM9whcqet8Wfb4JzRJwEIHU5U3rf12WmULgJs7DFK+5nEOK:1AwEmBT4JzRJwEeUW7f12xULgJzOK
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Worm.Win32.Ludbaruma.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Worm.Win32.Ludbaruma.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Worm.Win32.Ludbaruma.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Worm.Win32.Ludbaruma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Worm.Win32.Ludbaruma.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 2728 xk.exe 2180 IExplorer.exe 1932 WINLOGON.EXE 1632 CSRSS.EXE 2064 SERVICES.EXE 2820 LSASS.EXE 1068 SMSS.EXE -
Loads dropped DLL 12 IoCs
pid Process 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe 1716 Worm.Win32.Ludbaruma.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Worm.Win32.Ludbaruma.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Worm.Win32.Ludbaruma.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe Worm.Win32.Ludbaruma.exe File created C:\Windows\SysWOW64\shell.exe Worm.Win32.Ludbaruma.exe File created C:\Windows\SysWOW64\Mig2.scr Worm.Win32.Ludbaruma.exe File created C:\Windows\SysWOW64\IExplorer.exe Worm.Win32.Ludbaruma.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Worm.Win32.Ludbaruma.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr Worm.Win32.Ludbaruma.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe Worm.Win32.Ludbaruma.exe File created C:\Windows\xk.exe Worm.Win32.Ludbaruma.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Worm.Win32.Ludbaruma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xk.exe -
Modifies Control Panel 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Worm.Win32.Ludbaruma.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\ Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" Worm.Win32.Ludbaruma.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Worm.Win32.Ludbaruma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Worm.Win32.Ludbaruma.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1716 Worm.Win32.Ludbaruma.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1716 Worm.Win32.Ludbaruma.exe 2728 xk.exe 2180 IExplorer.exe 1932 WINLOGON.EXE 1632 CSRSS.EXE 2064 SERVICES.EXE 2820 LSASS.EXE 1068 SMSS.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2728 1716 Worm.Win32.Ludbaruma.exe 30 PID 1716 wrote to memory of 2728 1716 Worm.Win32.Ludbaruma.exe 30 PID 1716 wrote to memory of 2728 1716 Worm.Win32.Ludbaruma.exe 30 PID 1716 wrote to memory of 2728 1716 Worm.Win32.Ludbaruma.exe 30 PID 1716 wrote to memory of 2180 1716 Worm.Win32.Ludbaruma.exe 31 PID 1716 wrote to memory of 2180 1716 Worm.Win32.Ludbaruma.exe 31 PID 1716 wrote to memory of 2180 1716 Worm.Win32.Ludbaruma.exe 31 PID 1716 wrote to memory of 2180 1716 Worm.Win32.Ludbaruma.exe 31 PID 1716 wrote to memory of 1932 1716 Worm.Win32.Ludbaruma.exe 32 PID 1716 wrote to memory of 1932 1716 Worm.Win32.Ludbaruma.exe 32 PID 1716 wrote to memory of 1932 1716 Worm.Win32.Ludbaruma.exe 32 PID 1716 wrote to memory of 1932 1716 Worm.Win32.Ludbaruma.exe 32 PID 1716 wrote to memory of 1632 1716 Worm.Win32.Ludbaruma.exe 33 PID 1716 wrote to memory of 1632 1716 Worm.Win32.Ludbaruma.exe 33 PID 1716 wrote to memory of 1632 1716 Worm.Win32.Ludbaruma.exe 33 PID 1716 wrote to memory of 1632 1716 Worm.Win32.Ludbaruma.exe 33 PID 1716 wrote to memory of 2064 1716 Worm.Win32.Ludbaruma.exe 34 PID 1716 wrote to memory of 2064 1716 Worm.Win32.Ludbaruma.exe 34 PID 1716 wrote to memory of 2064 1716 Worm.Win32.Ludbaruma.exe 34 PID 1716 wrote to memory of 2064 1716 Worm.Win32.Ludbaruma.exe 34 PID 1716 wrote to memory of 2820 1716 Worm.Win32.Ludbaruma.exe 35 PID 1716 wrote to memory of 2820 1716 Worm.Win32.Ludbaruma.exe 35 PID 1716 wrote to memory of 2820 1716 Worm.Win32.Ludbaruma.exe 35 PID 1716 wrote to memory of 2820 1716 Worm.Win32.Ludbaruma.exe 35 PID 1716 wrote to memory of 1068 1716 Worm.Win32.Ludbaruma.exe 36 PID 1716 wrote to memory of 1068 1716 Worm.Win32.Ludbaruma.exe 36 PID 1716 wrote to memory of 1068 1716 Worm.Win32.Ludbaruma.exe 36 PID 1716 wrote to memory of 1068 1716 Worm.Win32.Ludbaruma.exe 36 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Worm.Win32.Ludbaruma.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Worm.Win32.Ludbaruma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Worm.Win32.Ludbaruma.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Worm.Win32.Ludbaruma.exe"C:\Users\Admin\AppData\Local\Temp\Worm.Win32.Ludbaruma.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1716 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2180
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1932
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1632
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2064
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1068
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD512469b824830d0e95c6378ecd565b523
SHA1c83388f871bb84706ed149084aa3bfef6cc554f1
SHA2567c083c155605d7cf41703238787edf1ebb93ef00e73f19a4ca6fa1174f407713
SHA512e06d0b5169894a1e88703d237c02dae2984a543d8b4a7e279624a1835f7fe8e83c25a2513b772b6f1b786b9c8185490948e75e764467a88ddd96601584d846b3
-
Filesize
45KB
MD5ecbaff8874babfc86d2641c85ccdf261
SHA17c35fb742dbae72cf07039d8f9a81c7ef772dd7e
SHA256a51a1a9bd1ef4848569ccf094544cd715e2842738cc518355baacd51689ee5c9
SHA512469a8be7e447e5c36ad49a0b624d362c35017090e469e0f263c33f4c47159141b91d4f12531f3ada1f796d8c340f828265496bf31f2d62ff81bf21028d89baed
-
Filesize
45KB
MD5a5a472ae4647e6ee540fd44629c3fe6e
SHA183c0107075297a8e24fc48673bcc82a71479508d
SHA256589722633a2bc0738872d446e7bce4cd426d1be9058e806ff30f8280bb722922
SHA512ba6be73312e2484cae18b1cc004e951e860f51ca40efac5fd8332612ec74c72cdb84f003531feb677decefdd57f8afbcdf818900da5a2d22f5cc26e2163bc4a0
-
Filesize
45KB
MD5db9033e7597d4b6374687f905b6c7a90
SHA156f3230e7e082e18bcb6f029a095f3bab0a643f3
SHA256ca190b44f75e56c761bdac39808ba488b84d948ff761d21e7ebe66a430bc9727
SHA51292767b84372e6ebfb3190f868888a816f58a230fc5c6d180be37e316219591367fcc8b0061597fb25e0b3c5e2fe43305f3b7310f45bcd3f8e30ad7e4667f8eb7
-
Filesize
45KB
MD5484db6139bda8363bcae8ab703a5f806
SHA1d218d0ebe59a87ead081b1ac8d57a210e6899942
SHA256be9dd302a08d8260d82c5ad7de93cb208df5e1abb6699166a743308e03ca9faa
SHA5123d4dd74e694de40981f2949f723869cf84880e080775cf79b827897395c1a78389d3c01a27b03e90e4b9e0f9a4d4c21797b44fc1730fa5f8d37a113e9184e8fd
-
Filesize
45KB
MD55cc282ff17209581bd43e681c6796924
SHA1e5cbb2943889161a687752eaa39f5046d818be84
SHA256a1b428806b372e3e2cf4e501bc733939e430175e93a20d4a8535e0a0a1a17255
SHA512de100a919a1fca4bf28c05a10c9de569ad8fe7868e0a94ed72244881f562c25b34d8e000b71ed7871d5ca61e3b3b4bef287bbbd29e5723fe6df52092265b072e
-
Filesize
45KB
MD5ceea5becf5a7b486e87380aa0f580b94
SHA152221e4da76fd8dc16a71ef5a34e739ce08f3bcd
SHA256f18369ac0d0c38eb228658d02da5fb35e6cbfac3f0fa926dbfe6a1a2e1e70025
SHA51299f1f8496fc8db47bc367a7ca010ecfa283b20ac39b866db19da74820621349fc5e704d644e2d149d86c45e9d2f4b4e0991eb99faa1a7b65b121a00cd07adf24