Analysis
-
max time kernel
37s -
max time network
46s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/05/2024, 09:21
General
-
Target
docfus.exe
-
Size
6.9MB
-
MD5
3554fa1057f1f0791928af0eb9509e69
-
SHA1
3bbe43d751b9d67293dd2d2d352281630a8f36d9
-
SHA256
5c70f002867b29b543af81320920cf2297ab4f4ed9b42b3b8fc432232fb91100
-
SHA512
8ca399928e4a7cc2cf68f1bcda362394d973e856d022103371eda7324e00d2a54d3e8be8c74efc82b08d3aa599389064b8068449f56eee4b07f77b00df91cedd
-
SSDEEP
196608:ls2g8QA1HeT39IigFeE9TFa0Z8DOjCdylEmQVyeoD:pp1+TtIiRY9Z8D8CclEt4D
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 1764 docfus.exe 1764 docfus.exe 1764 docfus.exe 1764 docfus.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3160 firefox.exe Token: SeDebugPrivilege 3160 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3160 firefox.exe 3160 firefox.exe 3160 firefox.exe 3160 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3160 firefox.exe 3160 firefox.exe 3160 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3160 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3844 wrote to memory of 1764 3844 docfus.exe 81 PID 3844 wrote to memory of 1764 3844 docfus.exe 81 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 464 wrote to memory of 3160 464 firefox.exe 86 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 5060 3160 firefox.exe 87 PID 3160 wrote to memory of 2172 3160 firefox.exe 88 PID 3160 wrote to memory of 2172 3160 firefox.exe 88 PID 3160 wrote to memory of 2172 3160 firefox.exe 88 PID 3160 wrote to memory of 2172 3160 firefox.exe 88 PID 3160 wrote to memory of 2172 3160 firefox.exe 88 PID 3160 wrote to memory of 2172 3160 firefox.exe 88 PID 3160 wrote to memory of 2172 3160 firefox.exe 88 PID 3160 wrote to memory of 2172 3160 firefox.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\docfus.exe"C:\Users\Admin\AppData\Local\Temp\docfus.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\docfus.exe"C:\Users\Admin\AppData\Local\Temp\docfus.exe"2⤵
- Loads dropped DLL
PID:1764
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.0.2020837802\1509273271" -parentBuildID 20230214051806 -prefsHandle 1812 -prefMapHandle 1804 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93182c3d-bea7-491c-9355-1718dcd563eb} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 1892 2207fb08a58 gpu3⤵PID:5060
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.1.2056235015\294578408" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2396 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aa5599a-645f-4d10-8ea6-d6fe65319d2f} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 2416 22008169d58 socket3⤵
- Checks processor information in registry
PID:2172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.2.664488653\474598433" -childID 1 -isForBrowser -prefsHandle 3204 -prefMapHandle 3200 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aa31080-33c9-4034-bd14-909747464887} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 2652 2200ab05558 tab3⤵PID:2288
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.3.2048874231\1468017725" -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 1164 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b07fa555-a525-4561-b477-7d0b34e96554} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 3576 2200d723558 tab3⤵PID:548
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.4.1898997324\621326027" -childID 3 -isForBrowser -prefsHandle 5020 -prefMapHandle 5004 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e53639f-1793-41d6-92af-25d3c0be0201} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5016 22010081958 tab3⤵PID:1860
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.5.1398113370\640719356" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f011463-b504-4f80-a5de-fd041d5eef0b} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5260 2201007fe58 tab3⤵PID:1680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.6.1983847479\561608248" -childID 5 -isForBrowser -prefsHandle 5260 -prefMapHandle 5280 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {757b55a1-8e0c-4cde-980f-7fb76544767d} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5048 22010080d58 tab3⤵PID:1720
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3160.7.886940304\160881901" -childID 6 -isForBrowser -prefsHandle 5820 -prefMapHandle 5816 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 944 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53296d61-09d4-43f8-a038-773bf120f2f1} 3160 "\\.\pipe\gecko-crash-server-pipe.3160" 5724 22011aa9258 tab3⤵PID:3076
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mg2c1myw.default-release\activity-stream.discovery_stream.json.tmp
Filesize27KB
MD5a82f25f3000c7b882a5ee4a059a01da6
SHA1ae52425728036d46d940c623c08590e4a5669cbc
SHA2567f567a2c121deca1789be85ecea213088d2520711c0038e9ff3c836f3dacf106
SHA51217426475252347055093b8c522a5ea8de6fb904cfef97af30e32a96148e1e8359b75d3779e0097625454e4a1e92d7bdacf219984a79184748b234776682af27d
-
Filesize
16KB
MD5e994920cdf8ca670a28855f086209ef1
SHA16528836fdfd4617fd096f4475287507cfa50b946
SHA2565a0fc5247a34b4dc6ed3ce2e249ad45f2ea9305bb61c81da2c73eef0276de1b3
SHA512ce9820bf8037d45401cd5792118d794c9e4859ec34a107b62d7a866985ed2da29a176d9f9fe5b98c9f875e6c8ecaf4705c8ec74aa47c9ddbe9122e698ce09986
-
Filesize
16KB
MD5c333d3609609896a41665da2418d0525
SHA167db527592185c4fa580180d89c68ce15dd802a9
SHA256966748db5face32d9d3a77ad45b630d672047559cc2d45101ce9a9d85b592ed5
SHA512872de94b6ece4d796c641f949aa78dc91e28bd121bcbd66ea96b6cc4814bc140a32d157ad5455832e1af349cdcf3773386c3b3e77d9254774898aa332a4219c2
-
Filesize
16KB
MD53347807aa25a48507ab206902511104f
SHA160cf8ed794166497c52648ae3c46980599ee3838
SHA256e8b6b7c53a7ffed97dc8eaba40f482f97d0282c79bfabcabb1ad0672b96cbbc9
SHA51240fcc1a4a8b0ae41ac9cdb1e09d2b1b91fbefcac4bf31842d9da62bdafe5a274657592cc4518c281d4c40987700e1b12eeddca16abf0b68e431b34de7ba43890
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
83KB
MD5223fd6748cae86e8c2d5618085c768ac
SHA1dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA5129c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6
-
Filesize
245KB
MD53055edf761508190b576e9bf904003aa
SHA1f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA51287538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248
-
Filesize
64KB
MD5eedb6d834d96a3dffffb1f65b5f7e5be
SHA1ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA25679c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad
-
Filesize
156KB
MD505e8b2c429aff98b3ae6adc842fb56a3
SHA1834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3
-
Filesize
81KB
MD5dc06f8d5508be059eae9e29d5ba7e9ec
SHA1d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA2567daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA51257eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3
-
Filesize
1.3MB
MD58dad91add129dca41dd17a332a64d593
SHA170a4ec5a17ed63caf2407bd76dc116aca7765c0d
SHA2568de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783
SHA5122163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50
-
Filesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
Filesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
Filesize
29KB
MD592b440ca45447ec33e884752e4c65b07
SHA15477e21bb511cc33c988140521a4f8c11a427bcc
SHA256680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA51240e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191
-
Filesize
1.1MB
MD516be9a6f941f1a2cb6b5fca766309b2c
SHA117b23ae0e6a11d5b8159c748073e36a936f3316a
SHA25610ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA51264b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b
-
Filesize
6KB
MD5066ca219ff5004576f614bb5bca2e18b
SHA16ac10ce0d099464e309f6fc7e9f498a51ddaf93d
SHA25697337a621f5ea800f33e184c8b1ad53984f32eb2ef9c3a5aad03b095c10d591e
SHA512924231d72ba9e9d18656c8b9027d7b93752d6d1bcb8f02b14e89eb7101a19448b8c33747300def40b2c0053030d9ad301823a1179547e5076c0ab8167848da5c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionCheckpoints.json
Filesize259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD533240623e9e2675ff8f8094cfcde17bc
SHA1d02d4650b38dcfff3e649a573528d5c088c9a5e1
SHA25683f3664fe5218eb2c8268f45ad19db542c5a34a5b33ee465b857891493ea6b3e
SHA512271a0fc6a23d9219ae5504c85a4e4fe2fe517f6e91944460bb3ddcacba6d55e194f420d39aa0c269523ede57703daa58f2505e284022cfad5f9bd5f954dd6392
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mg2c1myw.default-release\sessionstore.jsonlz4
Filesize7KB
MD5817fb599dc29313211c0959bf9699371
SHA11fcc6f6191dd353ade72068fe1902326bcff0e6a
SHA256b699dacbeda760d40ec87a00209c421adc19990bd24d471db3a98a1d0707e1eb
SHA512c97ebfaab6f9974f8aab2d30b167b285315523b441914d6393ecc0b2010b7567dcc3e8133624e57ea2e996b4acf10f9cbe37292a1c12d6ff4ef6d4664163c8e5