Analysis
-
max time kernel
47s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2023, 17:03
Static task
static1
Behavioral task
behavioral1
Sample
52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe
Resource
win10v2004-20230831-en
General
-
Target
52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe
-
Size
300KB
-
MD5
33487d7db4df8e52bbdfac0a3ee75c40
-
SHA1
6f85b757c4ffc7075c83931901dc131eeeca1149
-
SHA256
52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1
-
SHA512
9b08c2fa12d23335ef317820d4429b66ccfa5e1dae0359f23a94e4d904b53a1bca08a640bdf4e640d11b7fd985d6243786694d661d9e4c5a68afb0f7d0d321b6
-
SSDEEP
6144:NGb3meV4m9q/EmtNsGyLP/r6pvEws/Hd:NgPVP9QTNsn/r6pvE9/9
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Extracted
redline
38.181.25.43:3325
-
auth_value
082cde17c5630749ecb0376734fe99c9
Extracted
redline
lux3
176.123.9.142:14845
-
auth_value
e94dff9a76da90d6b000642c4a52574b
Extracted
amadey
3.87
http://79.137.192.18/9bDc8sQ/index.php
-
install_dir
577f58beff
-
install_file
yiueea.exe
-
strings_key
a5085075a537f09dec81cc154ec0af4d
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.38.95.107:42494
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 1172 48EB.exe 876 4A63.exe 4672 4B00.exe 2648 59F5.exe 2608 5B8D.exe 2908 6265.exe 564 64E6.exe 2680 6E7C.exe -
Loads dropped DLL 1 IoCs
pid Process 4956 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1240 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2184 52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe 2184 52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found 3132 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2184 52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found Token: SeShutdownPrivilege 3132 Process not Found Token: SeCreatePagefilePrivilege 3132 Process not Found -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3132 wrote to memory of 1172 3132 Process not Found 93 PID 3132 wrote to memory of 1172 3132 Process not Found 93 PID 3132 wrote to memory of 1172 3132 Process not Found 93 PID 3132 wrote to memory of 876 3132 Process not Found 94 PID 3132 wrote to memory of 876 3132 Process not Found 94 PID 3132 wrote to memory of 876 3132 Process not Found 94 PID 3132 wrote to memory of 4672 3132 Process not Found 96 PID 3132 wrote to memory of 4672 3132 Process not Found 96 PID 3132 wrote to memory of 4672 3132 Process not Found 96 PID 3132 wrote to memory of 2648 3132 Process not Found 98 PID 3132 wrote to memory of 2648 3132 Process not Found 98 PID 3132 wrote to memory of 2648 3132 Process not Found 98 PID 3132 wrote to memory of 2608 3132 Process not Found 99 PID 3132 wrote to memory of 2608 3132 Process not Found 99 PID 3132 wrote to memory of 4480 3132 Process not Found 100 PID 3132 wrote to memory of 4480 3132 Process not Found 100 PID 4480 wrote to memory of 4956 4480 regsvr32.exe 102 PID 4480 wrote to memory of 4956 4480 regsvr32.exe 102 PID 4480 wrote to memory of 4956 4480 regsvr32.exe 102 PID 3132 wrote to memory of 2908 3132 Process not Found 101 PID 3132 wrote to memory of 2908 3132 Process not Found 101 PID 3132 wrote to memory of 2908 3132 Process not Found 101 PID 3132 wrote to memory of 564 3132 Process not Found 103 PID 3132 wrote to memory of 564 3132 Process not Found 103 PID 3132 wrote to memory of 564 3132 Process not Found 103 PID 3132 wrote to memory of 2680 3132 Process not Found 105 PID 3132 wrote to memory of 2680 3132 Process not Found 105 PID 3132 wrote to memory of 2680 3132 Process not Found 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe"C:\Users\Admin\AppData\Local\Temp\52d8af024085117c953e51448794db1ce4bc411436df0d7b692381626c84b9e1_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2184
-
C:\Users\Admin\AppData\Local\Temp\48EB.exeC:\Users\Admin\AppData\Local\Temp\48EB.exe1⤵
- Executes dropped EXE
PID:1172
-
C:\Users\Admin\AppData\Local\Temp\4A63.exeC:\Users\Admin\AppData\Local\Temp\4A63.exe1⤵
- Executes dropped EXE
PID:876
-
C:\Users\Admin\AppData\Local\Temp\4B00.exeC:\Users\Admin\AppData\Local\Temp\4B00.exe1⤵
- Executes dropped EXE
PID:4672
-
C:\Users\Admin\AppData\Local\Temp\59F5.exeC:\Users\Admin\AppData\Local\Temp\59F5.exe1⤵
- Executes dropped EXE
PID:2648
-
C:\Users\Admin\AppData\Local\Temp\5B8D.exeC:\Users\Admin\AppData\Local\Temp\5B8D.exe1⤵
- Executes dropped EXE
PID:2608
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\607F.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\607F.dll2⤵
- Loads dropped DLL
PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\6265.exeC:\Users\Admin\AppData\Local\Temp\6265.exe1⤵
- Executes dropped EXE
PID:2908
-
C:\Users\Admin\AppData\Local\Temp\64E6.exeC:\Users\Admin\AppData\Local\Temp\64E6.exe1⤵
- Executes dropped EXE
PID:564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4148
-
-
C:\Users\Admin\AppData\Local\Temp\6E7C.exeC:\Users\Admin\AppData\Local\Temp\6E7C.exe1⤵
- Executes dropped EXE
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"2⤵PID:4476
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F3⤵
- Creates scheduled task(s)
PID:1240
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit3⤵PID:3696
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1308
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:N"4⤵PID:3716
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "yiueea.exe" /P "Admin:R" /E4⤵PID:3100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1168
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:N"4⤵PID:3104
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\577f58beff" /P "Admin:R" /E4⤵PID:1516
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exeC:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe1⤵PID:400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
696KB
MD5b5a67916054e01de81ec66ef37585346
SHA11ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA5125bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d
-
Filesize
696KB
MD5b5a67916054e01de81ec66ef37585346
SHA11ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA5125bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d
-
Filesize
273KB
MD5fc55462468d1a34e514d01aa30c0a5cd
SHA1168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA25674ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d
-
Filesize
273KB
MD5fc55462468d1a34e514d01aa30c0a5cd
SHA1168e4cd58a14f9e4591d49877ab5cb08e9a142a0
SHA25674ccc20216ebd15c3f9c937b7b40653a8c04537a15c95bb46f381c40e0ff194b
SHA512e2ba1facb596a2e54284b6556bb6a485cc213deae1b270f71e283412c4ba58aff78cff349ab329e110c09455c531f2d1b65b1cbb1c23ed0cd74647bfba7f4b6d
-
Filesize
273KB
MD5ed6778e6fe0c07587f4892c807d7f883
SHA13a94caa9336934ca2b12173b24fa815ea963edcb
SHA256a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544
-
Filesize
273KB
MD5ed6778e6fe0c07587f4892c807d7f883
SHA13a94caa9336934ca2b12173b24fa815ea963edcb
SHA256a9f19ec6eec891e21b885a04030995a5c996f0b673c6425ee28b0ef6c70d2898
SHA512b3fffd8485429cbe7c87a6eda24af95d2f497d3d3b47656ea3930c2ced6344f9b13099d419503f0c3dc40661111dac8df1d91eed66f448d58e0880c766859544
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
696KB
MD5b5a67916054e01de81ec66ef37585346
SHA11ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA5125bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d
-
Filesize
696KB
MD5b5a67916054e01de81ec66ef37585346
SHA11ac7d03be26786858be1d45f34da5c9be73a78a5
SHA256e883990293c39ceecaeb60f66867f802afce08920428540f1e7acf7bd383dd3c
SHA5125bacbb1f56a6b59002eba592c14a965b32a415893a5d36ae1e59a87e307c940b2cc43786f13a09d47167b0ae27ac16ef7181bcc653972522c416f11b2c40677d
-
Filesize
573KB
MD5c82816b9cae5ab07c38a317572f3453f
SHA1ce1911787bf09e30932a07308e9f1b04dcf7f3dd
SHA25607f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695
SHA5120451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b
-
Filesize
573KB
MD5c82816b9cae5ab07c38a317572f3453f
SHA1ce1911787bf09e30932a07308e9f1b04dcf7f3dd
SHA25607f738a9553af970e5b75ea53d566ae2a04fcdb19642f6c4fe9b820e46b60695
SHA5120451c99010056aab9349295be93f4c41b1a4c9843c07cbc9f0c2a6e9ce7b69ff6ce0dafa05a6a81aebc952cd7bc20d4b74cfe4cacb14ca3c0fc568ef5593182b
-
Filesize
2.8MB
MD5cd473f96a31e502950837fb6ed2fe819
SHA187bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94
-
Filesize
2.8MB
MD5cd473f96a31e502950837fb6ed2fe819
SHA187bf2e1161ef159b56db4a6350d4dfe219f30683
SHA256b862581cd97d94bcd7f955ab75da813d84c182e86722695e3b03f8229c4d6d5c
SHA512509881a3eeec7f6bc7fb6973f0df61dfe631f1636f4fb19024915dc5b6a1c51c1882037a76afad897d3ea67c618ac08ae0b318809626ed06dbbd9dd86a731d94
-
Filesize
696KB
MD5c2273e3679c0660d8b4cd294ec6f88a7
SHA11b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d
-
Filesize
696KB
MD5c2273e3679c0660d8b4cd294ec6f88a7
SHA11b01c714e54dca1c562ccb77e746a9645eee7cfc
SHA256d68e18e28f3ba8db95da24be50e918d9254214079f1394eb55ce53f772041664
SHA512afd5b5181184449327e77cd116939d5c4c5bb83b4e4e70dc7d7e0579d4b4d66508b238d55a8f05bed9d0df9da6b286ccd2d805140e82db00d943b7fd11e56d4d
-
Filesize
1.8MB
MD5c7b34cc95676afe2b43fce196202d3fa
SHA192eb09a6883ef684d3d175ece6599a61266bada9
SHA2568d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA5120e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16
-
Filesize
1.8MB
MD5c7b34cc95676afe2b43fce196202d3fa
SHA192eb09a6883ef684d3d175ece6599a61266bada9
SHA2568d5bfbac46cfe1f428ba5905fbb0252b08e71d7061b32c3a90d20f451df72060
SHA5120e581a66baba515995b3513698cdf5bd8c6119ea4ce3c3b0f9b7bcf58cbef4eb27188ef976f8f2aaef7b5cd673fb2718df6d4133fc891ccc207d136babbeaa16
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4
-
Filesize
307KB
MD555f845c433e637594aaf872e41fda207
SHA11188348ca7e52f075e7d1d0031918c2cea93362e
SHA256f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA5125a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4