Analysis
-
max time kernel
150s -
max time network
187s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-06-2021 07:12
Static task
static1
Behavioral task
behavioral1
Sample
0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe
Resource
win7v20210410
General
-
Target
0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe
-
Size
2.8MB
-
MD5
1aed5d95ffc86126b79a9fe69f3f8af4
-
SHA1
de35454b27c455326a5b4974830d32f70058a839
-
SHA256
0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0
-
SHA512
33274d75ae2b56cd403fddf5007a2df2d29f0dd93e043b43bcd292ca370c0b05544dc1c8033279c769fa48fcc8631261cfc5da6f3bc9250dc6b1eea7ddfc2522
Malware Config
Extracted
njrat
Carbonblack2102
batvoi
1368.vnh.wtf:5552
0de45b5c6627a3e65a4b2a1e68ec841b
-
reg_key
0de45b5c6627a3e65a4b2a1e68ec841b
-
splitter
|'|'|
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/832-97-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer behavioral1/memory/832-98-0x000000000041CEE8-mapping.dmp family_taurus_stealer behavioral1/memory/832-100-0x0000000000400000-0x0000000000437000-memory.dmp family_taurus_stealer -
Executes dropped EXE 4 IoCs
Processes:
MRGO.EXEWMI PERFORMANCE REVERSE ADAPTER.EXEWMI PERFORMANCE REVERSE ADPIRE.EXEWMI Performance Reverse Adapters.exepid process 1120 MRGO.EXE 1940 WMI PERFORMANCE REVERSE ADAPTER.EXE 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE 340 WMI Performance Reverse Adapters.exe -
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MRGO.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MRGO.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MRGO.EXE -
Drops startup file 2 IoCs
Processes:
WMI Performance Reverse Adapters.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0de45b5c6627a3e65a4b2a1e68ec841b.exe WMI Performance Reverse Adapters.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0de45b5c6627a3e65a4b2a1e68ec841b.exe WMI Performance Reverse Adapters.exe -
Loads dropped DLL 8 IoCs
Processes:
0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exeWMI PERFORMANCE REVERSE ADAPTER.EXEWerFault.exepid process 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe 1944 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe 1940 WMI PERFORMANCE REVERSE ADAPTER.EXE 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WMI Performance Reverse Adapters.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\0de45b5c6627a3e65a4b2a1e68ec841b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMI Performance Reverse Adapters.exe\" .." WMI Performance Reverse Adapters.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0de45b5c6627a3e65a4b2a1e68ec841b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WMI Performance Reverse Adapters.exe\" .." WMI Performance Reverse Adapters.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WMI PERFORMANCE REVERSE ADPIRE.EXEdescription pid process target process PID 1784 set thread context of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1608 1120 WerFault.exe MRGO.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
WMI Performance Reverse Adapters.exeWerFault.exepid process 340 WMI Performance Reverse Adapters.exe 340 WMI Performance Reverse Adapters.exe 340 WMI Performance Reverse Adapters.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
WMI PERFORMANCE REVERSE ADPIRE.EXEWMI Performance Reverse Adapters.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE Token: SeDebugPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: SeDebugPrivilege 1608 WerFault.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe Token: 33 340 WMI Performance Reverse Adapters.exe Token: SeIncBasePriorityPrivilege 340 WMI Performance Reverse Adapters.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exeWMI PERFORMANCE REVERSE ADAPTER.EXEWMI Performance Reverse Adapters.exeWMI PERFORMANCE REVERSE ADPIRE.EXEMRGO.EXEdescription pid process target process PID 1836 wrote to memory of 1120 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe MRGO.EXE PID 1836 wrote to memory of 1120 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe MRGO.EXE PID 1836 wrote to memory of 1120 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe MRGO.EXE PID 1836 wrote to memory of 1120 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe MRGO.EXE PID 1836 wrote to memory of 1940 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1836 wrote to memory of 1940 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1836 wrote to memory of 1940 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1836 wrote to memory of 1940 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADAPTER.EXE PID 1836 wrote to memory of 1784 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1836 wrote to memory of 1784 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1836 wrote to memory of 1784 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1836 wrote to memory of 1784 1836 0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe WMI PERFORMANCE REVERSE ADPIRE.EXE PID 1940 wrote to memory of 340 1940 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 1940 wrote to memory of 340 1940 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 1940 wrote to memory of 340 1940 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 1940 wrote to memory of 340 1940 WMI PERFORMANCE REVERSE ADAPTER.EXE WMI Performance Reverse Adapters.exe PID 340 wrote to memory of 1556 340 WMI Performance Reverse Adapters.exe netsh.exe PID 340 wrote to memory of 1556 340 WMI Performance Reverse Adapters.exe netsh.exe PID 340 wrote to memory of 1556 340 WMI Performance Reverse Adapters.exe netsh.exe PID 340 wrote to memory of 1556 340 WMI Performance Reverse Adapters.exe netsh.exe PID 1784 wrote to memory of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 1784 wrote to memory of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 1784 wrote to memory of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 1784 wrote to memory of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 1784 wrote to memory of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 1784 wrote to memory of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 1784 wrote to memory of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 1784 wrote to memory of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 1784 wrote to memory of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe PID 1120 wrote to memory of 1608 1120 MRGO.EXE WerFault.exe PID 1120 wrote to memory of 1608 1120 MRGO.EXE WerFault.exe PID 1120 wrote to memory of 1608 1120 MRGO.EXE WerFault.exe PID 1784 wrote to memory of 832 1784 WMI PERFORMANCE REVERSE ADPIRE.EXE mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe"C:\Users\Admin\AppData\Local\Temp\0c9e45bf4ffe549dddd3c0735fee3bfee13bb8fa795ac3831ea7cf657dd19dd0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\MRGO.EXE"C:\Users\Admin\AppData\Local\Temp\MRGO.EXE"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1120 -s 6803⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE"C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADAPTER.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe"C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WMI Performance Reverse Adapters.exe" "WMI Performance Reverse Adapters.exe" ENABLE4⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE"C:\Users\Admin\AppData\Local\Temp\WMI PERFORMANCE REVERSE ADPIRE.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"3⤵PID:832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9a6a87cffd1c2f6c4f7f86ccc23b8c79
SHA17daccbbc9c9165451fd3d5d4edd2c58db1cf26f2
SHA2563bc300c1fbad940dcefdca5f8cb0907656a7615de8517421b12def81c20fab39
SHA512a4cf85fcb827422d21ee33e8de8b5be348b7aaa1cb43c930b1dc0de61acd18201fd0e805a541af22be3e09076c98a46d86c81fd01d34b2c3fe5d4bc2cb4419b7
-
MD5
9a6a87cffd1c2f6c4f7f86ccc23b8c79
SHA17daccbbc9c9165451fd3d5d4edd2c58db1cf26f2
SHA2563bc300c1fbad940dcefdca5f8cb0907656a7615de8517421b12def81c20fab39
SHA512a4cf85fcb827422d21ee33e8de8b5be348b7aaa1cb43c930b1dc0de61acd18201fd0e805a541af22be3e09076c98a46d86c81fd01d34b2c3fe5d4bc2cb4419b7
-
MD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
MD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
MD5
5375abc86290f5c3ffa86d4129e4bd27
SHA1a1a3b2165549bd4c34985d3a230f8304202926ab
SHA256c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f
SHA512f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709
-
MD5
5375abc86290f5c3ffa86d4129e4bd27
SHA1a1a3b2165549bd4c34985d3a230f8304202926ab
SHA256c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f
SHA512f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709
-
MD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
MD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
MD5
9a6a87cffd1c2f6c4f7f86ccc23b8c79
SHA17daccbbc9c9165451fd3d5d4edd2c58db1cf26f2
SHA2563bc300c1fbad940dcefdca5f8cb0907656a7615de8517421b12def81c20fab39
SHA512a4cf85fcb827422d21ee33e8de8b5be348b7aaa1cb43c930b1dc0de61acd18201fd0e805a541af22be3e09076c98a46d86c81fd01d34b2c3fe5d4bc2cb4419b7
-
MD5
9a6a87cffd1c2f6c4f7f86ccc23b8c79
SHA17daccbbc9c9165451fd3d5d4edd2c58db1cf26f2
SHA2563bc300c1fbad940dcefdca5f8cb0907656a7615de8517421b12def81c20fab39
SHA512a4cf85fcb827422d21ee33e8de8b5be348b7aaa1cb43c930b1dc0de61acd18201fd0e805a541af22be3e09076c98a46d86c81fd01d34b2c3fe5d4bc2cb4419b7
-
MD5
9a6a87cffd1c2f6c4f7f86ccc23b8c79
SHA17daccbbc9c9165451fd3d5d4edd2c58db1cf26f2
SHA2563bc300c1fbad940dcefdca5f8cb0907656a7615de8517421b12def81c20fab39
SHA512a4cf85fcb827422d21ee33e8de8b5be348b7aaa1cb43c930b1dc0de61acd18201fd0e805a541af22be3e09076c98a46d86c81fd01d34b2c3fe5d4bc2cb4419b7
-
MD5
9a6a87cffd1c2f6c4f7f86ccc23b8c79
SHA17daccbbc9c9165451fd3d5d4edd2c58db1cf26f2
SHA2563bc300c1fbad940dcefdca5f8cb0907656a7615de8517421b12def81c20fab39
SHA512a4cf85fcb827422d21ee33e8de8b5be348b7aaa1cb43c930b1dc0de61acd18201fd0e805a541af22be3e09076c98a46d86c81fd01d34b2c3fe5d4bc2cb4419b7
-
MD5
9a6a87cffd1c2f6c4f7f86ccc23b8c79
SHA17daccbbc9c9165451fd3d5d4edd2c58db1cf26f2
SHA2563bc300c1fbad940dcefdca5f8cb0907656a7615de8517421b12def81c20fab39
SHA512a4cf85fcb827422d21ee33e8de8b5be348b7aaa1cb43c930b1dc0de61acd18201fd0e805a541af22be3e09076c98a46d86c81fd01d34b2c3fe5d4bc2cb4419b7
-
MD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7
-
MD5
5375abc86290f5c3ffa86d4129e4bd27
SHA1a1a3b2165549bd4c34985d3a230f8304202926ab
SHA256c499e93433a8ff462799108ac5462ce05fa93bf716f3723fbccb7ff13dbebb9f
SHA512f951acf23e5576fae983fd805a32eebea95966c74ffffd99bbd6de17d2e5db0db9b282c242d00e5515b4d67d885f09c749fae09aece26275f17f0d20670b6709
-
MD5
870a6f849d1e8f3297d3d947de1d3dda
SHA12f618fdf99aa8b94c7ef34fe93f73fce8afeaf97
SHA256b94a72f37633262bc036a0ff29cdd2ec4f6f26ea3dee357ef727defeffcea39b
SHA512f3cbf80e3b5200bc926b098840230189c15dcd7cd81792fa3461de5c999f83f352a5529db3c3fc045e43110c9e35d8676bdb3343597663f17dfd840e503adad7