Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 01:59
Static task
static1
Behavioral task
behavioral1
Sample
c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exe
Resource
win10v2004-20240226-en
General
-
Target
c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exe
-
Size
13.3MB
-
MD5
42c32b8ee377ce3bcf36f51fb7bc93a8
-
SHA1
819d0926c93704884a882967d820d6f753732d37
-
SHA256
c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc
-
SHA512
d9c5d1a4ab4c873d819a36d6b2219667d01cd5007a6c1f9c8828c5bd0f0907a56ec1cdf3339274805db53e572c1a259f8193ad8738e0f6e4b8caceec5a84b284
-
SSDEEP
393216:uEtDIsayzJASQzBVLw1HY80t92B3s6Mo85oZBn55i1C:uEVHZASUYH50tCVdmoZB55iA
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1340-115-0x0000000000740000-0x0000000000800000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1340-115-0x0000000000740000-0x0000000000800000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
Spy.pifdescription pid process target process PID 4260 created 3364 4260 Spy.pif Explorer.EXE PID 4260 created 3364 4260 Spy.pif Explorer.EXE PID 4260 created 3364 4260 Spy.pif Explorer.EXE -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exeCelery V3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Celery V3.exe -
Executes dropped EXE 5 IoCs
Processes:
Celery V3.exeSpy.pifRegAsm.exeRegAsm.exeRegAsm.exepid process 1912 Celery V3.exe 4260 Spy.pif 4280 RegAsm.exe 3840 RegAsm.exe 1340 RegAsm.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 208 tasklist.exe 2660 tasklist.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Spy.pifpid process 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 208 tasklist.exe Token: SeDebugPrivilege 2660 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Spy.pifpid process 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Spy.pifpid process 4260 Spy.pif 4260 Spy.pif 4260 Spy.pif -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exeCelery V3.execmd.exeSpy.pifdescription pid process target process PID 1972 wrote to memory of 1912 1972 c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exe Celery V3.exe PID 1972 wrote to memory of 1912 1972 c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exe Celery V3.exe PID 1972 wrote to memory of 1912 1972 c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exe Celery V3.exe PID 1912 wrote to memory of 1244 1912 Celery V3.exe cmd.exe PID 1912 wrote to memory of 1244 1912 Celery V3.exe cmd.exe PID 1912 wrote to memory of 1244 1912 Celery V3.exe cmd.exe PID 1244 wrote to memory of 208 1244 cmd.exe msedge.exe PID 1244 wrote to memory of 208 1244 cmd.exe msedge.exe PID 1244 wrote to memory of 208 1244 cmd.exe msedge.exe PID 1244 wrote to memory of 1920 1244 cmd.exe findstr.exe PID 1244 wrote to memory of 1920 1244 cmd.exe findstr.exe PID 1244 wrote to memory of 1920 1244 cmd.exe findstr.exe PID 1244 wrote to memory of 2660 1244 cmd.exe tasklist.exe PID 1244 wrote to memory of 2660 1244 cmd.exe tasklist.exe PID 1244 wrote to memory of 2660 1244 cmd.exe tasklist.exe PID 1244 wrote to memory of 4032 1244 cmd.exe findstr.exe PID 1244 wrote to memory of 4032 1244 cmd.exe findstr.exe PID 1244 wrote to memory of 4032 1244 cmd.exe findstr.exe PID 1244 wrote to memory of 3052 1244 cmd.exe cmd.exe PID 1244 wrote to memory of 3052 1244 cmd.exe cmd.exe PID 1244 wrote to memory of 3052 1244 cmd.exe cmd.exe PID 1244 wrote to memory of 2692 1244 cmd.exe findstr.exe PID 1244 wrote to memory of 2692 1244 cmd.exe findstr.exe PID 1244 wrote to memory of 2692 1244 cmd.exe findstr.exe PID 1244 wrote to memory of 3480 1244 cmd.exe cmd.exe PID 1244 wrote to memory of 3480 1244 cmd.exe cmd.exe PID 1244 wrote to memory of 3480 1244 cmd.exe cmd.exe PID 1244 wrote to memory of 4260 1244 cmd.exe Spy.pif PID 1244 wrote to memory of 4260 1244 cmd.exe Spy.pif PID 1244 wrote to memory of 4260 1244 cmd.exe Spy.pif PID 1244 wrote to memory of 4664 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 4664 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 4664 1244 cmd.exe PING.EXE PID 4260 wrote to memory of 4280 4260 Spy.pif RegAsm.exe PID 4260 wrote to memory of 4280 4260 Spy.pif RegAsm.exe PID 4260 wrote to memory of 4280 4260 Spy.pif RegAsm.exe PID 4260 wrote to memory of 3840 4260 Spy.pif RegAsm.exe PID 4260 wrote to memory of 3840 4260 Spy.pif RegAsm.exe PID 4260 wrote to memory of 3840 4260 Spy.pif RegAsm.exe PID 4260 wrote to memory of 1340 4260 Spy.pif RegAsm.exe PID 4260 wrote to memory of 1340 4260 Spy.pif RegAsm.exe PID 4260 wrote to memory of 1340 4260 Spy.pif RegAsm.exe PID 4260 wrote to memory of 1340 4260 Spy.pif RegAsm.exe PID 4260 wrote to memory of 1340 4260 Spy.pif RegAsm.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3364
-
C:\Users\Admin\AppData\Local\Temp\c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exe"C:\Users\Admin\AppData\Local\Temp\c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Celery V3.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Celery V3.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Earned Earned.cmd && Earned.cmd4⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"5⤵PID:1920
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"5⤵PID:4032
-
C:\Windows\SysWOW64\cmd.execmd /c md 11815⤵PID:3052
-
C:\Windows\SysWOW64\findstr.exefindstr /V "CalculationsExpediaJumpExchanges" Application5⤵PID:2692
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Trials + Explains + External + Fighting + Get + Rights 1181\z5⤵PID:3480
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\Spy.pif1181\Spy.pif 1181\z5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.15⤵
- Runs ping.exe
PID:4664 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\RegAsm.exe2⤵
- Executes dropped EXE
PID:4280 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\RegAsm.exe2⤵
- Executes dropped EXE
PID:3840 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1181\RegAsm.exe2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3688 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
732KB
MD5a93d2d4011d95ff33664ed9986ff0ef5
SHA1cfba99860f0678fe292459c18e5af6cba2267a5d
SHA2569f063605fe838523e9e2b479902f64e26faf52ea8545fa923639e2a4a51c9457
SHA5129457dd2488df9309445123f114917eb2d578469bded41b26bcbea32bcca009070935e1f9265e48a91c03dd25143af0e01c09d8a15340a3c7f4f693b62e1bf203
-
Filesize
88B
MD59a66fa1dd1b4c3dd1ae7c9a4a87aa842
SHA121cf8f84e43f5c3586d99a23986660f499d0177e
SHA256f78b0469afa7869c255bd94d0dc3d8eab6bf4d414c3f351057d489a4160c83e6
SHA512378a75b0f42e590fd4100d950b4aa91d86b794c32b3de71f82426c1e212a351e611956a9e4af1a38e1fcfe0fa124396b9295871626708ea1e5e5f7fd6e3311d0
-
Filesize
27KB
MD5357faab5cddb2500c29c7c067e746006
SHA166d41a27c3a0e58e365138146442b9d6df141a25
SHA25605992acd6574248821bc4183735fa1c9290f3fb0ea788bc7ba848a80ecd824ef
SHA51219a6890112ace0b4174b6fcc77d75dbabc5f66a0ea02a068f7dcb2dbe7be3de11885c7f459dc5fdda483f29ae24c6579619dd2ab8ba41e456a2535cf7397471a
-
Filesize
158KB
MD5ca29fb91d1d317aa36b1ac46ba0174f9
SHA155da44a68bbd05441fd713a9782c0a312d4bf55f
SHA256782a12dff590c537216783e384583c7e6c70e73d6ef50969f7fa77a933f58c71
SHA51298c42a5637a49181c411d0542d5dbba6f8ce63346ce4a55c59293948f567968fb2c54fa08b9c2aba89316f314eb75d09b356bb7691005f9243c83827a214606e
-
Filesize
199KB
MD5bf7fd01409b89941f428abfcce10b4ca
SHA142492300b92c2a85b64cfb94165f0a2938dd25c3
SHA2563623ca1e5389b1d853439f536fa926c16b2513192906931de5eb35725f3f477b
SHA512365e767a2eedc4937bbb7909bb980e299310c433e1c3739173563fdcde2632fa21391d8529988bfdff628df3152d4872deed8d24eaf6a904d0c3f2f53519c74a
-
Filesize
184KB
MD5cd2d5d07602e244ae1546d1961088062
SHA132b9d3518e2889d38914e8848f2896f9daae4256
SHA2562c4c09c99469b54615dcfd2a748d0e5e7697f0a943fdad8cae5cc054e1270551
SHA5121a1b3ccb9cef636310b8d2a1eabc670da291683efa1fde63ec7f3e7417c3c44f4e808f794eacd9487de7342c9b7af346be5c1d9ccf88bad0d07043452c419143
-
Filesize
149KB
MD5b2dd53268d83baa953d96d39a8875882
SHA15320800ae2e0cf728d3b4739fb1258c8b729631c
SHA256ba5ce916a346a64728607a8e4ef74c421e68d309c0f2e1d44f23de74ba60314d
SHA51278a6a0beea0b0a443762797ab153f4b00f14f525581add1ca25fa502b243059a83e732c5540087d8ebfc1ff2f26081d7a309c276ebe5a30f7158e4012a6759fb
-
Filesize
27KB
MD55bcc56e4241e8341737b9599f82aafcc
SHA1f46baee6528a63e2c77ba9fcd65f3ad1ad929fd1
SHA2569117405e9a295efaf60c2cd1e9bd3f30c25c5b8b1fe4c7461cff53596ddcbc1d
SHA512835e360297d9786dba9ee55a61f9bf912e95b05c3d07fb868483f1de54575634c1fafdd284999dafce1bcd6fb6b1e788eacfc07071f1c06e8758fc05468e9ffc
-
Filesize
291KB
MD5fbc9947eb416771f0033633639cd8829
SHA16b50fb814906fc6ce6a57687001909e1860e65ab
SHA256ad5afc43908be11dbe82e7ce4868861110dc18dbd11d209f352ac79c3208fc78
SHA512d619a2153ce26ea49ca14e54743a986454f7be37323acd667930bcbda02c2f23261261b10c062a52ea9344fcb960f3c4633a83f060c5a05be09e02ebaeff5095
-
Filesize
68KB
MD536f82ea9fb06ed60524914f858622b8e
SHA1135ca9b730daeb73d53f607f09edd80d4f59057f
SHA2564e6ff0796fc2effdcd62d372b482d147615cdd21877bd1a8c50cb649a879d6ee
SHA512c5f1540916970ad22b308f101e1c461681251fa6ae9df0e7f2141eef8555feb9fccccbf8fc34c4e2609c7653a3dbb64a055ae199a1f4689de8cf1f7b32e069cc
-
Filesize
4KB
MD5d1888072161954d16a445153ec6040a9
SHA1fc1759da68b6cdf9eb9b1d6f8815b7ea1df879da
SHA2560ec2e259a47f7cf1817124d110a4fd57be75e21de31790019250ca661a7cc434
SHA51265a0b67b9fae883fc722076d69025d3aa508a8d74b056a0d2384e32963080be63c60ee4dbfc5bbd632c5a9cd394aedad0de9043f50962c1e0ce95a93994d3bc1
-
Filesize
244KB
MD5595c05aa784b35e2495fd55feeaf9ac3
SHA1e1a4ca1271d6036fc201852522905537cafe0c16
SHA25630d423d8754143f56e19b2d611fcd579d2d2fb0a3b8678734ba33bc6ed28ca0b
SHA5127a86795fc90e182cd5973a825f586b1c8c42756d0fba66214a9af25424eab1d641fce8a7aa7a1fc2ce50e0f39fc05dec23858dd9aac26748609753443212f13d
-
Filesize
85KB
MD51baf48abd8f03670e93a0661de886959
SHA17c24e3c81a0322e83011c09cc17525e1dfdb6b2c
SHA2563eb6327a36a819ac3f137d35f92a15be94da1b6e5df3bf57d6fd197ef8969a1e
SHA512260ab7dc6989031f791cc40007a9e2179cd624560e38e23a910223ee18deb4e83f9f72555901f0e96158e956fa0124fd233d897fa333068fa74f7baffafac41e
-
Filesize
195KB
MD5f463ded2ff01c0a48bc2a7aee85e1c6e
SHA1ea7b00b13248dc3c5a944c28713bf1d8dd70189c
SHA25646c29bfe671b94d549a3f214f474843224707da3b6a46aec61e14f8fae05bf9e
SHA5129693345117105079641e538c8624bb8de5c04516ea3ecc3e43595ad84a1f99968182524c263f33522daf78ec5da3ab37e29080f15391c4e45a98168c68c6028d
-
Filesize
150.0MB
MD506e7ddae83eee00448a508f9badab598
SHA1c6cec77b57bc0347a1d6630241312b28a55ba87f
SHA256b26315f2003b6b636b74c6aac13feff2b98b465d8dc9e00b5eb239a46538ae98
SHA512218c1291211a0b50d38f048355169e9df6fdcc2e8d44e74382b19295613d107e1d2649524d0b3f383b1284c243456c61492f4ec8a1311132b9b6a5047d088934
-
Filesize
3B
MD5cb5ae17636e975f9bf71ddf5bc542075
SHA1180505679cfe0cca79bae51fdda0296b7cd9c493
SHA25614be4b45f18e0d8c67b4f719b5144eee88497e413709d11d85b096d8e2346310
SHA512957f720b6d516c8e273968c9be2ffbe146329c1a11a2097844206f030dfde1f4efe3379eb68316d1c7426457144d9576dad04e46b10c0ca8d8b9a5d668387a1b