Analysis
-
max time kernel
120s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
08/09/2022, 19:32
Static task
static1
Behavioral task
behavioral1
Sample
597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9.exe
Resource
win10-20220812-en
General
-
Target
597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9.exe
-
Size
294KB
-
MD5
e1a445b6f4684f2c40adea43df749ac5
-
SHA1
90d0b88eb3c1fcb3c916995b97600e03aa0241a8
-
SHA256
597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9
-
SHA512
3e3bb6843c4a1a23ff5fb0d5458d8975a587aa6487ac24a39d5657d760910c5ed1ec7e5617d79074c369c438f54097b2f5d9447b6515cec3568a987c25b3535b
-
SSDEEP
6144:Y9hqGBc2uJP3uroLc0Jm+bc7Y8bxlyd9Xrso12GPJ:YbBWJvu0AILc7Y8/69b7vB
Malware Config
Extracted
redline
mario_new
176.122.23.55:11768
-
auth_value
eeee8d5fcc3ba3a42094ef260c5bdcb4
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dhfry901/
Extracted
redline
1337
78.153.144.6:2510
-
auth_value
b0447922bcbc2eda83260a9e7a638f45
Extracted
redline
nam5
103.89.90.61:34589
-
auth_value
f23be8e9063fe5d0c6fc3ee8e7d565bd
Extracted
raccoon
567d5bff28c2a18132d2f88511f07435
http://116.203.167.5/
http://195.201.248.58/
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/102208-579-0x00000000001E0000-0x00000000001E9000-memory.dmp family_smokeloader -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 102608 102052 rundll32.exe 72 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral1/memory/101460-163-0x0000000000400000-0x0000000000460000-memory.dmp family_redline behavioral1/memory/101460-168-0x000000000045B03E-mapping.dmp family_redline behavioral1/memory/103188-960-0x0000000000422116-mapping.dmp family_redline behavioral1/memory/101832-1003-0x000000000041ADC2-mapping.dmp family_redline behavioral1/memory/103188-1098-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/101832-1189-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars payload 1 IoCs
resource yara_rule behavioral1/memory/102396-800-0x0000000000400000-0x000000000058E000-memory.dmp family_socelars -
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 4076 735B.exe 101908 9BD3.exe 102208 A75E.exe 102396 F187.exe 101824 1BF3.exe 101804 1D9A.exe 102520 21B2.exe -
resource yara_rule behavioral1/files/0x000700000001ac2f-680.dat upx behavioral1/files/0x000700000001ac2f-687.dat upx behavioral1/memory/102396-715-0x0000000000400000-0x000000000058E000-memory.dmp upx behavioral1/memory/102396-800-0x0000000000400000-0x000000000058E000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 2760 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 34.142.181.181 -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4076 set thread context of 101460 4076 735B.exe 68 -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png F187.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js F187.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html F187.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js F187.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js F187.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js F187.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js F187.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js F187.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json F187.exe File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js F187.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 101568 4076 WerFault.exe 66 102328 102208 WerFault.exe 73 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9BD3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9BD3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9BD3.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 1 IoCs
pid Process 102136 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4208 597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9.exe 4208 597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9.exe 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found 2760 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2760 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4208 597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9.exe 101908 9BD3.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeDebugPrivilege 101460 AppLaunch.exe Token: SeCreateTokenPrivilege 102396 F187.exe Token: SeAssignPrimaryTokenPrivilege 102396 F187.exe Token: SeLockMemoryPrivilege 102396 F187.exe Token: SeIncreaseQuotaPrivilege 102396 F187.exe Token: SeMachineAccountPrivilege 102396 F187.exe Token: SeTcbPrivilege 102396 F187.exe Token: SeSecurityPrivilege 102396 F187.exe Token: SeTakeOwnershipPrivilege 102396 F187.exe Token: SeLoadDriverPrivilege 102396 F187.exe Token: SeSystemProfilePrivilege 102396 F187.exe Token: SeSystemtimePrivilege 102396 F187.exe Token: SeProfSingleProcessPrivilege 102396 F187.exe Token: SeIncBasePriorityPrivilege 102396 F187.exe Token: SeCreatePagefilePrivilege 102396 F187.exe Token: SeCreatePermanentPrivilege 102396 F187.exe Token: SeBackupPrivilege 102396 F187.exe Token: SeRestorePrivilege 102396 F187.exe Token: SeShutdownPrivilege 102396 F187.exe Token: SeDebugPrivilege 102396 F187.exe Token: SeAuditPrivilege 102396 F187.exe Token: SeSystemEnvironmentPrivilege 102396 F187.exe Token: SeChangeNotifyPrivilege 102396 F187.exe Token: SeRemoteShutdownPrivilege 102396 F187.exe Token: SeUndockPrivilege 102396 F187.exe Token: SeSyncAgentPrivilege 102396 F187.exe Token: SeEnableDelegationPrivilege 102396 F187.exe Token: SeManageVolumePrivilege 102396 F187.exe Token: SeImpersonatePrivilege 102396 F187.exe Token: SeCreateGlobalPrivilege 102396 F187.exe Token: 31 102396 F187.exe Token: 32 102396 F187.exe Token: 33 102396 F187.exe Token: 34 102396 F187.exe Token: 35 102396 F187.exe Token: SeDebugPrivilege 102136 taskkill.exe Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found Token: SeShutdownPrivilege 2760 Process not Found Token: SeCreatePagefilePrivilege 2760 Process not Found -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe 102376 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2760 wrote to memory of 4076 2760 Process not Found 66 PID 2760 wrote to memory of 4076 2760 Process not Found 66 PID 2760 wrote to memory of 4076 2760 Process not Found 66 PID 4076 wrote to memory of 101460 4076 735B.exe 68 PID 4076 wrote to memory of 101460 4076 735B.exe 68 PID 4076 wrote to memory of 101460 4076 735B.exe 68 PID 4076 wrote to memory of 101460 4076 735B.exe 68 PID 4076 wrote to memory of 101460 4076 735B.exe 68 PID 2760 wrote to memory of 101908 2760 Process not Found 71 PID 2760 wrote to memory of 101908 2760 Process not Found 71 PID 2760 wrote to memory of 101908 2760 Process not Found 71 PID 2760 wrote to memory of 102208 2760 Process not Found 73 PID 2760 wrote to memory of 102208 2760 Process not Found 73 PID 2760 wrote to memory of 102208 2760 Process not Found 73 PID 2760 wrote to memory of 102396 2760 Process not Found 75 PID 2760 wrote to memory of 102396 2760 Process not Found 75 PID 2760 wrote to memory of 102396 2760 Process not Found 75 PID 102396 wrote to memory of 101988 102396 F187.exe 76 PID 102396 wrote to memory of 101988 102396 F187.exe 76 PID 102396 wrote to memory of 101988 102396 F187.exe 76 PID 101988 wrote to memory of 102136 101988 cmd.exe 78 PID 101988 wrote to memory of 102136 101988 cmd.exe 78 PID 101988 wrote to memory of 102136 101988 cmd.exe 78 PID 102396 wrote to memory of 102376 102396 F187.exe 79 PID 102396 wrote to memory of 102376 102396 F187.exe 79 PID 102376 wrote to memory of 101472 102376 chrome.exe 80 PID 102376 wrote to memory of 101472 102376 chrome.exe 80 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83 PID 102376 wrote to memory of 101628 102376 chrome.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9.exe"C:\Users\Admin\AppData\Local\Temp\597c8b6c97e93b844d134f8d6e185f53dc6cd0d67670ffbdd14bd22c4d0f34a9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4208
-
C:\Users\Admin\AppData\Local\Temp\735B.exeC:\Users\Admin\AppData\Local\Temp\735B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:101460
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1966122⤵
- Program crash
PID:101568
-
-
C:\Users\Admin\AppData\Local\Temp\9BD3.exeC:\Users\Admin\AppData\Local\Temp\9BD3.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:101908
-
C:\Users\Admin\AppData\Local\Temp\A75E.exeC:\Users\Admin\AppData\Local\Temp\A75E.exe1⤵
- Executes dropped EXE
PID:102208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 102208 -s 4802⤵
- Program crash
PID:102328
-
-
C:\Users\Admin\AppData\Local\Temp\F187.exeC:\Users\Admin\AppData\Local\Temp\F187.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:102396 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:101988 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:102136
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:102376 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7fff8a054f50,0x7fff8a054f60,0x7fff8a054f703⤵PID:101472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1696 /prefetch:83⤵PID:101620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:23⤵PID:101628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:13⤵PID:101920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:13⤵PID:101924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 /prefetch:83⤵PID:101792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:13⤵PID:102164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:13⤵PID:101480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:83⤵PID:102780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4684 /prefetch:83⤵PID:102768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:83⤵PID:102760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,4990728458495435643,14473516948697671501,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:83⤵PID:103052
-
-
-
C:\Users\Admin\AppData\Local\Temp\1BF3.exeC:\Users\Admin\AppData\Local\Temp\1BF3.exe1⤵
- Executes dropped EXE
PID:101824 -
C:\Users\Admin\AppData\Local\Temp\1BF3.exe"C:\Users\Admin\AppData\Local\Temp\1BF3.exe" -h2⤵PID:102864
-
-
C:\Users\Admin\AppData\Local\Temp\1D9A.exeC:\Users\Admin\AppData\Local\Temp\1D9A.exe1⤵
- Executes dropped EXE
PID:101804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:103188
-
-
C:\Users\Admin\AppData\Local\Temp\21B2.exeC:\Users\Admin\AppData\Local\Temp\21B2.exe1⤵
- Executes dropped EXE
PID:102520 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:101832
-
-
C:\Users\Admin\AppData\Local\Temp\28A8.exeC:\Users\Admin\AppData\Local\Temp\28A8.exe1⤵PID:102884
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:102652
-
-
C:\Users\Admin\AppData\Local\Temp\3404.exeC:\Users\Admin\AppData\Local\Temp\3404.exe1⤵PID:103172
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:103368
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:102580
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:102944
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:103276
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:102816
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:102848
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:103084
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:103392
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:102700
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
PID:102608 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵PID:102552
-
-
C:\Users\Admin\AppData\Local\Temp\8447.exeC:\Users\Admin\AppData\Local\Temp\8447.exe1⤵PID:103052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k WspService1⤵PID:103384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786B
MD59ffe618d587a0685d80e9f8bb7d89d39
SHA18e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12
-
Filesize
6KB
MD5c8d8c174df68910527edabe6b5278f06
SHA18ac53b3605fea693b59027b9b471202d150f266f
SHA2569434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c
-
Filesize
13KB
MD54ff108e4584780dce15d610c142c3e62
SHA177e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2
-
Filesize
19KB
MD5f88020ab0d6af89405d5639bdd4740d1
SHA1f444d0541c8a845f4c393337e4cae527fce52ab5
SHA25672048949a9d3905e6603e283534fd098a2c26612d9b73d0aea96f6c31fc3101e
SHA5126ecd08e3aa04a7cc577c46d28aa507ebabde20ebc435d8ab07fe68c1dcd976bb19b047bc5fc697569d0879ae30a9f4165648c180dfcb165161edb4216fd86b9d
-
Filesize
3KB
MD5f79618c53614380c5fdc545699afe890
SHA17804a4621cd9405b6def471f3ebedb07fb17e90a
SHA256f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c
SHA512c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c
-
Filesize
84KB
MD5a09e13ee94d51c524b7e2a728c7d4039
SHA10dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a
-
Filesize
604B
MD523231681d1c6f85fa32e725d6d63b19b
SHA1f69315530b49ac743b0e012652a3a5efaed94f17
SHA25603164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA51236860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2
-
Filesize
268B
MD50f26002ee3b4b4440e5949a969ea7503
SHA131fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA5124290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11
-
Filesize
1KB
MD56da6b303170ccfdca9d9e75abbfb59f3
SHA11a8070080f50a303f73eba253ba49c1e6d400df6
SHA25666f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333
SHA512872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a
-
Filesize
15KB
MD57cc3619a1ed71246b7a427687ac13bba
SHA10e7b92c837339c2fbe904539dfd5da26ff009679
SHA256923d585d1fec6ed7934fd1657d6aada948e60a1ef4aa4f85f56a8c949a7235f4
SHA512535806bc541e4f63eb72daac751ee8d8922500215f3e730347f9dd105825cdb09f7da4c08608ff7bb14733bb4974ad1051a67d8ca0279f572f89dcb54fb15aee
-
Filesize
179KB
MD5de92f22b6614cf9fcfbdaca5233b42e2
SHA1c28ce87a27aba3c3cd2b1341e7254aeec526120c
SHA2564f300474fbb84cc0d908c3fed79ab820066fcc6c309d29f179e032f023ec6b65
SHA512b5f8801896ff3c12333d610facc9dbefb459ebe29cb7494d9963b68a35354595fa3eb39931284df6ae4501a31bd42f965bdb835210a46cc79bce427b6380a19b
-
Filesize
2KB
MD50ba3d759c8a36a554b6ebfd723d207e5
SHA1a1112419e6444a0f7ab95e57c5d4cd2042148a73
SHA256af6cd579b0f1cd87b69ef35ee328d5bf0bd0b167b135db58121d9f740625140b
SHA512410cfa0407e21625f39fcfceaef9ead790fdae9d1b15f7634f694f286162ff5440c5165665695231afd7798dabc31a5aa70c9d6d4d23dd2888c0e80a6354d936
-
Filesize
84KB
MD52f60ef19334491b0800f818fe87c42f9
SHA1a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA2562b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA51297459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4
-
Filesize
84KB
MD52f60ef19334491b0800f818fe87c42f9
SHA1a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA2562b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA51297459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4
-
Filesize
84KB
MD52f60ef19334491b0800f818fe87c42f9
SHA1a54541d84ffdd10c71053a4da5d2635129c1a5fa
SHA2562b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095
SHA51297459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4
-
Filesize
458KB
MD579baeb8f62b1a8aabfc66f3844c4535f
SHA14ee6e1e1278c126c461e0b162523510180eb97d8
SHA256a1f376f0d2e7d0bd91a302db24a663535168b2611e03649799228807b1d098e3
SHA5128401c9c7ec450a5189e44667faa70aa019ae80e138235ad2c7e01ac46f51f4acbd3fa9ee217ecd2337427b88a8270694f101dd2d7a43771d4ef4e305bfa856f7
-
Filesize
458KB
MD579baeb8f62b1a8aabfc66f3844c4535f
SHA14ee6e1e1278c126c461e0b162523510180eb97d8
SHA256a1f376f0d2e7d0bd91a302db24a663535168b2611e03649799228807b1d098e3
SHA5128401c9c7ec450a5189e44667faa70aa019ae80e138235ad2c7e01ac46f51f4acbd3fa9ee217ecd2337427b88a8270694f101dd2d7a43771d4ef4e305bfa856f7
-
Filesize
429KB
MD51e7d395f469bbe106e010f3269a906be
SHA1f85f181301c29fd836a43d0f6ef5181aa6704e98
SHA25661930a44283840fe5309f9fc54e4caf73e0f6d191ab018663ca17e10a2b23863
SHA512d16c36d5e087dc0a923d3b479ae41556124044ddc044f0a56bed5fc1b2f1541c59f0e04478ae33f6bcaabc50a78944110630cdb19648961559032f5504659c4c
-
Filesize
429KB
MD51e7d395f469bbe106e010f3269a906be
SHA1f85f181301c29fd836a43d0f6ef5181aa6704e98
SHA25661930a44283840fe5309f9fc54e4caf73e0f6d191ab018663ca17e10a2b23863
SHA512d16c36d5e087dc0a923d3b479ae41556124044ddc044f0a56bed5fc1b2f1541c59f0e04478ae33f6bcaabc50a78944110630cdb19648961559032f5504659c4c
-
Filesize
608KB
MD5400566d192aca40edf56b858214ed0b9
SHA1d6acd830e72934b4c8ad6cc8d4dac72f95568182
SHA2569e5c7ec1fd704ef7fa6463ed839875ddc039f276bf8e0f866f228e275b349454
SHA5126e1c412c910508f66a920ddd260dcd64b36a4c601a9816ebd7f8d656e43780daaf0da2309ebf3f3e56c82f760697028c43c4c24fd04bf5957ac6b097a26e5a4f
-
Filesize
608KB
MD5400566d192aca40edf56b858214ed0b9
SHA1d6acd830e72934b4c8ad6cc8d4dac72f95568182
SHA2569e5c7ec1fd704ef7fa6463ed839875ddc039f276bf8e0f866f228e275b349454
SHA5126e1c412c910508f66a920ddd260dcd64b36a4c601a9816ebd7f8d656e43780daaf0da2309ebf3f3e56c82f760697028c43c4c24fd04bf5957ac6b097a26e5a4f
-
Filesize
293KB
MD55d3c7cb402f9a061f7f76e20851357e9
SHA1e6fb6b1a3024f017666503c6557177df1edd58ef
SHA256231ac3f24a18f2fccd46db163ea593d51b52ebe3858d04e3aacf06ad44f44a45
SHA512b88b551eb8dbdf93871704b1926084902fe2d448c170577758674d9e41ec666340b1182e86df807b73eb846c5315fc0e7b6d24c45bbb4e672c116968b67501bf
-
Filesize
293KB
MD55d3c7cb402f9a061f7f76e20851357e9
SHA1e6fb6b1a3024f017666503c6557177df1edd58ef
SHA256231ac3f24a18f2fccd46db163ea593d51b52ebe3858d04e3aacf06ad44f44a45
SHA512b88b551eb8dbdf93871704b1926084902fe2d448c170577758674d9e41ec666340b1182e86df807b73eb846c5315fc0e7b6d24c45bbb4e672c116968b67501bf
-
Filesize
671KB
MD5b5217bb7be0e5f48d7a63d86ed10d79e
SHA18eda656c588396f74c1abeb019992015ec134a0c
SHA256f1127c9264936045acc1c0f3d10d8683d78c865171a7ef485ecdf5d8aa2704f5
SHA5121b2ad5d7af43702d065493accd7416df2c258996642d8b472ac54af96a8282c87baf22ae4155a0a490f4ec70498bf6846b364ef6a00cd99a6de2c4e45b7c6144
-
Filesize
671KB
MD5b5217bb7be0e5f48d7a63d86ed10d79e
SHA18eda656c588396f74c1abeb019992015ec134a0c
SHA256f1127c9264936045acc1c0f3d10d8683d78c865171a7ef485ecdf5d8aa2704f5
SHA5121b2ad5d7af43702d065493accd7416df2c258996642d8b472ac54af96a8282c87baf22ae4155a0a490f4ec70498bf6846b364ef6a00cd99a6de2c4e45b7c6144
-
Filesize
4.0MB
MD5f99d573625e45fc9d02bd27d30aa5839
SHA1e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA25614d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA51284b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d
-
Filesize
4.0MB
MD5f99d573625e45fc9d02bd27d30aa5839
SHA1e12a9683a34b4e3d06d4f6d07851fa606a2a4556
SHA25614d138ed08a4f1c0850a93312cec9258bc5a0e8942b57a582e47c258b91cfac6
SHA51284b39b79549cf9d8b9e23c6c68f39f4a2453cd9322edf29c07534e3ae30a4524df937564a9c51c08f249be691aa97dca3a03e6f3677d6a3256d5e89b9293924d
-
Filesize
294KB
MD5c8d618535dcead6a5b5c3d66bb6ef917
SHA135d8465bdb3fee6128245b977e37bba76c99ba43
SHA2562eab3c88dcab4917e95f8ee32d0ce531100dc456f0d30447b86c94d70dd8daaa
SHA512881ffbdd8c699ca7300e9bd606abd69b05aa0d2e9deab32b0549c47b58f7cd7aac44f9968c41a2416361e9e46e9521c9fed65e486ac1023af162afd749248050
-
Filesize
294KB
MD5c8d618535dcead6a5b5c3d66bb6ef917
SHA135d8465bdb3fee6128245b977e37bba76c99ba43
SHA2562eab3c88dcab4917e95f8ee32d0ce531100dc456f0d30447b86c94d70dd8daaa
SHA512881ffbdd8c699ca7300e9bd606abd69b05aa0d2e9deab32b0549c47b58f7cd7aac44f9968c41a2416361e9e46e9521c9fed65e486ac1023af162afd749248050
-
Filesize
243KB
MD5e217d6bc93ea9a438bcb2de790e28b8c
SHA18f8e486908f85f3d79e7b046761737cae7cdb1b5
SHA2560ad21ef01587dcaf115b17d5050fa6d3ee9d26c927d9e94af285b728e151c163
SHA512091cd0635f287edad984c47d42f0866f4cd110f9d945662b2ae70c92bf2fa3c093b391526c5d3f137acf3f1b8e12acf0dd1ea954054f1b37c9c960ead109074f
-
Filesize
243KB
MD5e217d6bc93ea9a438bcb2de790e28b8c
SHA18f8e486908f85f3d79e7b046761737cae7cdb1b5
SHA2560ad21ef01587dcaf115b17d5050fa6d3ee9d26c927d9e94af285b728e151c163
SHA512091cd0635f287edad984c47d42f0866f4cd110f9d945662b2ae70c92bf2fa3c093b391526c5d3f137acf3f1b8e12acf0dd1ea954054f1b37c9c960ead109074f
-
Filesize
675KB
MD51209eb5280434f121fa888e5d9665bef
SHA1d85f7e6ab0486f32bc51c772215488dcfb299941
SHA25630a2d83678b8e9a39debd957bf3e4dea8d97423fe19ca7b21a87ff1434f9b3d3
SHA51279cdf89289871b1a89b65bb36353437d4c2fa11fb0bc6a4c60affc43ad1eab6d836c17a9a0bccdbaff365713b508b130af9eda338acb08d03af8fad0a1fa5c9b
-
Filesize
675KB
MD51209eb5280434f121fa888e5d9665bef
SHA1d85f7e6ab0486f32bc51c772215488dcfb299941
SHA25630a2d83678b8e9a39debd957bf3e4dea8d97423fe19ca7b21a87ff1434f9b3d3
SHA51279cdf89289871b1a89b65bb36353437d4c2fa11fb0bc6a4c60affc43ad1eab6d836c17a9a0bccdbaff365713b508b130af9eda338acb08d03af8fad0a1fa5c9b
-
Filesize
557KB
MD52a03e19d5af7606e8e9a5c86a5a78880
SHA193945d1e473713d83316aaa9a297a417fb302db7
SHA25615dea69e1ef7f927cdf56b7b6a31189b825b0cef06eeca4811006e7bf9d02c9a
SHA512f263945af96cb0040d521832038862bfa05f4c9efd0eda0ae511dc1ab0ced179e0e64a3054de42bdc159db2520ff45f2b56ac08a7ac59bd01b74bbdf4b013f93
-
Filesize
60KB
MD54d11bd6f3172584b3fda0e9efcaf0ddb
SHA10581c7f087f6538a1b6d4f05d928c1df24236944
SHA25673314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA5126a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04
-
Filesize
60KB
MD54d11bd6f3172584b3fda0e9efcaf0ddb
SHA10581c7f087f6538a1b6d4f05d928c1df24236944
SHA25673314490c80e5eb09f586e12c1f035c44f11aeaa41d2f4b08aca476132578930
SHA5126a023496e7ee03c2ff8e3ba445c7d7d5bfe6a1e1e1bae5c17dcf41e78ede84a166966579bf8cc7be7450d2516f869713907775e863670b10eb60c092492d2d04