Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
25/09/2023, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe
Resource
win10-20230915-en
General
-
Target
8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe
-
Size
270KB
-
MD5
3df2709ef694ba38a66b20cbe634510b
-
SHA1
db47729b37a425900d1432e34c810508ce14a85c
-
SHA256
8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab
-
SHA512
43d47b3c6da393aae286b656ec7d64d708eeaf476bdf446850908b96d8388d4040e1f0de6123aba827b9389306beae7b441cd0dd5edf109ef6fd96737f888a1d
-
SSDEEP
6144:lR0hrJ+j+5j68KsT6h/OCy5U9uAOkAZP0iuqw6:lRaN+j+5+RsqGGu7ZMyw6
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000\Control Panel\International\Geo\Nation cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1300 set thread context of 2988 1300 8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe 71 -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3308 1300 WerFault.exe 69 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8a9ffa1f52efd901 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 883d362052efd901 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c5969b3452efd901 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2988 AppLaunch.exe 2988 AppLaunch.exe 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found 3248 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3248 Process not Found -
Suspicious behavior: MapViewOfSection 11 IoCs
pid Process 2988 AppLaunch.exe 4808 MicrosoftEdgeCP.exe 4808 MicrosoftEdgeCP.exe 4808 MicrosoftEdgeCP.exe 4808 MicrosoftEdgeCP.exe 4808 MicrosoftEdgeCP.exe 4808 MicrosoftEdgeCP.exe 4808 MicrosoftEdgeCP.exe 4808 MicrosoftEdgeCP.exe 4808 MicrosoftEdgeCP.exe 4808 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeDebugPrivilege 312 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 312 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 312 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 312 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeDebugPrivilege 4484 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4484 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found Token: SeShutdownPrivilege 3248 Process not Found Token: SeCreatePagefilePrivilege 3248 Process not Found -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2292 MicrosoftEdge.exe 4808 MicrosoftEdgeCP.exe 312 MicrosoftEdgeCP.exe 4808 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1300 wrote to memory of 3840 1300 8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe 70 PID 1300 wrote to memory of 3840 1300 8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe 70 PID 1300 wrote to memory of 3840 1300 8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe 70 PID 1300 wrote to memory of 2988 1300 8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe 71 PID 1300 wrote to memory of 2988 1300 8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe 71 PID 1300 wrote to memory of 2988 1300 8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe 71 PID 1300 wrote to memory of 2988 1300 8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe 71 PID 1300 wrote to memory of 2988 1300 8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe 71 PID 1300 wrote to memory of 2988 1300 8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe 71 PID 3248 wrote to memory of 1168 3248 Process not Found 74 PID 3248 wrote to memory of 1168 3248 Process not Found 74 PID 4808 wrote to memory of 2160 4808 MicrosoftEdgeCP.exe 80 PID 4808 wrote to memory of 2160 4808 MicrosoftEdgeCP.exe 80 PID 4808 wrote to memory of 2160 4808 MicrosoftEdgeCP.exe 80 PID 4808 wrote to memory of 2160 4808 MicrosoftEdgeCP.exe 80 PID 4808 wrote to memory of 2160 4808 MicrosoftEdgeCP.exe 80 PID 4808 wrote to memory of 2160 4808 MicrosoftEdgeCP.exe 80 PID 4808 wrote to memory of 2160 4808 MicrosoftEdgeCP.exe 80 PID 4808 wrote to memory of 2160 4808 MicrosoftEdgeCP.exe 80 PID 4808 wrote to memory of 2160 4808 MicrosoftEdgeCP.exe 80 PID 4808 wrote to memory of 2316 4808 MicrosoftEdgeCP.exe 85 PID 4808 wrote to memory of 2316 4808 MicrosoftEdgeCP.exe 85 PID 4808 wrote to memory of 2316 4808 MicrosoftEdgeCP.exe 85 PID 4808 wrote to memory of 2316 4808 MicrosoftEdgeCP.exe 85 PID 4808 wrote to memory of 2316 4808 MicrosoftEdgeCP.exe 85 PID 4808 wrote to memory of 2316 4808 MicrosoftEdgeCP.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe"C:\Users\Admin\AppData\Local\Temp\8f9de63f98b367c35d08247a510c0b063853ac8c1a14f4c7719d019584f9d3ab.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3840
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 2442⤵
- Program crash
PID:3308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\83E1.bat" "1⤵
- Checks computer location settings
PID:1168
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2292
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5052
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:312
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2160
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:820
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4264
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2316
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4764
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\7NWOFWY5\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\U3MZA09I\B8BxsscfVBr[1].ico
Filesize1KB
MD5e508eca3eafcc1fc2d7f19bafb29e06b
SHA1a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA51249e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\2KBPVWUK.cookie
Filesize130B
MD5fd32fed4987adfafcd79b4a019b80168
SHA12891cadbb67b8f6d4a2092a5f2de764f7c5935c6
SHA256bffa7eab2316a59483510171569e9910dbf8aed862cd8fc69f78a88764e9ffe8
SHA512c4edc15a3581fefe2a891993d6c2916d126cd57a0bd06e63d7e772ad67679213623ba1b8c6ee14780f4759de8821593e58ac00d5a7f2b0c9387abcbd3ab3a5af
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\5S3A8ZDX.cookie
Filesize130B
MD550d52df330ee0adbfab01e301dba8fc1
SHA11ec5c3a78c93e792fef49e918ed3cfc385ce40c7
SHA256fa53c0797af5873d89e4146155a4eafd6deda616612a4f30bc44d8ec0b06c4c3
SHA5126d150735bb04c6739491144a27eb3fa245eb97f76969e198a2f79c7dfd00e2f7515618c63aa01bb5f5029e566aabed05159b98dd49b22674c142e375b054787d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b5eda74305a01c41450e0d12777199e1
SHA136162e9e8c3a69b237d317f7c300f11927a37c12
SHA2566e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594
SHA512f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190
Filesize471B
MD53b7403306365b481a905b872a4a8fe8d
SHA1848d8b54a1b0fa0f473fe13bbabcb7872c0a6067
SHA256f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7
SHA512bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5bddb3c4cd657f29bb35c63a9cc896dfc
SHA1fa2605654adfe12a6195e8a589a0309cfdeeaa82
SHA25604dbcf6fb16c7a34de722e51222e5227fe324de581a38d30bc61da76c8aaa5cf
SHA51265f4db2791cbbeb2c607eb1d4eed7d291341a2ee0e6658b332c2416e99233cffd9562417e257eefe0ad91c9b2b6deddffb1c72855529ef6bfef89742fa4c4769
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD5e557c5bdc02d0c3699b7943b4fd53460
SHA1d2dfa72af80250d9e312a96ca53b855aff8785ac
SHA256434e36422c5d33e3cde4fe8599e60f4db29ae430b90976870177564de2abb017
SHA512a3cbc1bb673dc9696feafa0320e9d35c3f3322708b4210fde0f8303ccccaf094bf254ed4d7e3e947dd4b83889dc418e1c38a1cd377725bce337ce73ea98c693d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190
Filesize406B
MD5a787d148cf11e9d70cdad0316970f99f
SHA10875be40e461f60b404ff832e6ce7c221bbe3f32
SHA256401c49863cae33c28efeced1d16553aa70ac411a6b7e6feca3bfc71996204f72
SHA5123713935320b8d7c3fa7b1da88dd50e18520483914a43cf373591b949e76f432acada0e1afcacf38dc8c0a07899f32b8c407f1d9fb64cd3da70d8c7b918dffa6f
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576