Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2023 05:38
Static task
static1
Behavioral task
behavioral1
Sample
9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe
Resource
win10v2004-20231127-en
General
-
Target
9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe
-
Size
257KB
-
MD5
e1db58927595887f3528ccd12a9b3139
-
SHA1
ddddbc9ba3112f0bdcbe0e6fa75bcfb74c68f1cb
-
SHA256
9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35
-
SHA512
4809cd07c8847e2d3812f75a97526fc2f32703b3f8b3dc0b60b3335432e595031147a8245913ba731c2996acaa0a93aae255e29a729870eb9a4eee9710d9f6a7
-
SSDEEP
3072:0gyUuwY/K2ljlmngPavJrM8ZWp9yJANfgX24vCdQXG+oMyVSzjJSAPov1z:jynM2XavJY8ZWpqANqvCV+oMUKk
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.hhuy
-
offline_id
gG3wF8nDWRqLztkHPAxMzpvNVlmLBMgQKmKiCNt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-5zKXJl7cwi Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0834ASdw
Extracted
risepro
193.233.132.51
Extracted
lumma
http://soupinterestoe.fun/api
http://dayfarrichjwclik.fun/api
http://neighborhoodfeelsa.fun/api
http://ratefacilityframw.fun/api
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ae32c46a-408f-440b-ba92-443fb487bad9\\7DD.exe\" --AutoStart" 7DD.exe 7080 schtasks.exe 7772 schtasks.exe -
Detect Lumma Stealer payload V4 3 IoCs
resource yara_rule behavioral1/memory/6800-547-0x00000000024F0000-0x000000000256C000-memory.dmp family_lumma_v4 behavioral1/memory/6800-553-0x0000000000400000-0x0000000000892000-memory.dmp family_lumma_v4 behavioral1/memory/6800-599-0x0000000000400000-0x0000000000892000-memory.dmp family_lumma_v4 -
Detected Djvu ransomware 9 IoCs
resource yara_rule behavioral1/memory/4560-35-0x00000000025D0000-0x00000000026EB000-memory.dmp family_djvu behavioral1/memory/3144-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3144-38-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3144-39-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3144-40-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/3144-50-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1992-74-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1992-75-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1992-77-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation 7DD.exe -
Deletes itself 1 IoCs
pid Process 3272 Process not Found -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 2PR8616.exe -
Executes dropped EXE 13 IoCs
pid Process 4600 EF13.exe 4088 EF13.exe 4560 7DD.exe 3144 7DD.exe 3864 7DD.exe 1616 1470.exe 1900 ca3lM75.exe 1924 1To94YF2.exe 1992 7DD.exe 6176 2PR8616.exe 6800 7mX2az42.exe 6348 gucdjge 1080 gucdjge -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1088 icacls.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2PR8616.exe Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2PR8616.exe Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2PR8616.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 2PR8616.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ae32c46a-408f-440b-ba92-443fb487bad9\\7DD.exe\" --AutoStart" 7DD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 1470.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ca3lM75.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 89 api.2ip.ua 94 api.2ip.ua 161 ipinfo.io 162 ipinfo.io -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0007000000023225-69.dat autoit_exe behavioral1/memory/3864-71-0x0000000002460000-0x0000000002502000-memory.dmp autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy 2PR8616.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 2PR8616.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 2PR8616.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 2PR8616.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4468 set thread context of 1340 4468 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe 90 PID 4600 set thread context of 4088 4600 EF13.exe 111 PID 4560 set thread context of 3144 4560 7DD.exe 114 PID 3864 set thread context of 1992 3864 7DD.exe 121 PID 6348 set thread context of 1080 6348 gucdjge 202 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3708 1992 WerFault.exe 121 8128 6176 WerFault.exe 153 1932 6800 WerFault.exe 195 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EF13.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gucdjge Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EF13.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI EF13.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gucdjge Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gucdjge -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2PR8616.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2PR8616.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7772 schtasks.exe 7080 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1340 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe 1340 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1340 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe 4088 EF13.exe 1080 gucdjge -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 1924 msedge.exe 3272 Process not Found 3272 Process not Found 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 3272 Process not Found 3272 Process not Found 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1924 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe 1004 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3272 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4468 wrote to memory of 1340 4468 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe 90 PID 4468 wrote to memory of 1340 4468 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe 90 PID 4468 wrote to memory of 1340 4468 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe 90 PID 4468 wrote to memory of 1340 4468 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe 90 PID 4468 wrote to memory of 1340 4468 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe 90 PID 4468 wrote to memory of 1340 4468 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe 90 PID 3272 wrote to memory of 4600 3272 Process not Found 107 PID 3272 wrote to memory of 4600 3272 Process not Found 107 PID 3272 wrote to memory of 4600 3272 Process not Found 107 PID 3272 wrote to memory of 416 3272 Process not Found 108 PID 3272 wrote to memory of 416 3272 Process not Found 108 PID 416 wrote to memory of 1280 416 cmd.exe 110 PID 416 wrote to memory of 1280 416 cmd.exe 110 PID 4600 wrote to memory of 4088 4600 EF13.exe 111 PID 4600 wrote to memory of 4088 4600 EF13.exe 111 PID 4600 wrote to memory of 4088 4600 EF13.exe 111 PID 4600 wrote to memory of 4088 4600 EF13.exe 111 PID 4600 wrote to memory of 4088 4600 EF13.exe 111 PID 4600 wrote to memory of 4088 4600 EF13.exe 111 PID 3272 wrote to memory of 4560 3272 Process not Found 112 PID 3272 wrote to memory of 4560 3272 Process not Found 112 PID 3272 wrote to memory of 4560 3272 Process not Found 112 PID 4560 wrote to memory of 3144 4560 7DD.exe 114 PID 4560 wrote to memory of 3144 4560 7DD.exe 114 PID 4560 wrote to memory of 3144 4560 7DD.exe 114 PID 4560 wrote to memory of 3144 4560 7DD.exe 114 PID 4560 wrote to memory of 3144 4560 7DD.exe 114 PID 4560 wrote to memory of 3144 4560 7DD.exe 114 PID 4560 wrote to memory of 3144 4560 7DD.exe 114 PID 4560 wrote to memory of 3144 4560 7DD.exe 114 PID 4560 wrote to memory of 3144 4560 7DD.exe 114 PID 4560 wrote to memory of 3144 4560 7DD.exe 114 PID 3144 wrote to memory of 1088 3144 7DD.exe 115 PID 3144 wrote to memory of 1088 3144 7DD.exe 115 PID 3144 wrote to memory of 1088 3144 7DD.exe 115 PID 3144 wrote to memory of 3864 3144 7DD.exe 116 PID 3144 wrote to memory of 3864 3144 7DD.exe 116 PID 3144 wrote to memory of 3864 3144 7DD.exe 116 PID 3272 wrote to memory of 1616 3272 Process not Found 118 PID 3272 wrote to memory of 1616 3272 Process not Found 118 PID 3272 wrote to memory of 1616 3272 Process not Found 118 PID 1616 wrote to memory of 1900 1616 1470.exe 119 PID 1616 wrote to memory of 1900 1616 1470.exe 119 PID 1616 wrote to memory of 1900 1616 1470.exe 119 PID 1900 wrote to memory of 1924 1900 ca3lM75.exe 120 PID 1900 wrote to memory of 1924 1900 ca3lM75.exe 120 PID 1900 wrote to memory of 1924 1900 ca3lM75.exe 120 PID 3864 wrote to memory of 1992 3864 7DD.exe 121 PID 3864 wrote to memory of 1992 3864 7DD.exe 121 PID 3864 wrote to memory of 1992 3864 7DD.exe 121 PID 3864 wrote to memory of 1992 3864 7DD.exe 121 PID 3864 wrote to memory of 1992 3864 7DD.exe 121 PID 3864 wrote to memory of 1992 3864 7DD.exe 121 PID 3864 wrote to memory of 1992 3864 7DD.exe 121 PID 3864 wrote to memory of 1992 3864 7DD.exe 121 PID 3864 wrote to memory of 1992 3864 7DD.exe 121 PID 3864 wrote to memory of 1992 3864 7DD.exe 121 PID 1924 wrote to memory of 4668 1924 msedge.exe 123 PID 1924 wrote to memory of 4668 1924 msedge.exe 123 PID 4668 wrote to memory of 1652 4668 msedge.exe 125 PID 4668 wrote to memory of 1652 4668 msedge.exe 125 PID 1924 wrote to memory of 2120 1924 msedge.exe 124 PID 1924 wrote to memory of 2120 1924 msedge.exe 124 PID 2120 wrote to memory of 1696 2120 msedge.exe 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2PR8616.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2PR8616.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe"C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe"C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe"2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\EF13.exeC:\Users\Admin\AppData\Local\Temp\EF13.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\EF13.exeC:\Users\Admin\AppData\Local\Temp\EF13.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F06C.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1280
-
-
C:\Users\Admin\AppData\Local\Temp\7DD.exeC:\Users\Admin\AppData\Local\Temp\7DD.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\7DD.exeC:\Users\Admin\AppData\Local\Temp\7DD.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ae32c46a-408f-440b-ba92-443fb487bad9" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\7DD.exe"C:\Users\Admin\AppData\Local\Temp\7DD.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\7DD.exe"C:\Users\Admin\AppData\Local\Temp\7DD.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 5685⤵
- Program crash
PID:3708
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1470.exeC:\Users\Admin\AppData\Local\Temp\1470.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1To94YF2.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1To94YF2.exe3⤵
- Executes dropped EXE
PID:1924 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
PID:4668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd747185⤵PID:1652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16795344000278021468,7760274516861956801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:25⤵PID:5812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16795344000278021468,7760274516861956801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:35⤵PID:5844
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd747185⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6416093471888615068,2397192538690831067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:35⤵PID:5584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6416093471888615068,2397192538690831067,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:25⤵PID:5576
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵PID:1580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd747185⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,9848842407201901460,18123915721562923441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:35⤵PID:5648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9848842407201901460,18123915721562923441,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:25⤵PID:5596
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd747185⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:35⤵PID:5452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:25⤵PID:5444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:85⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:15⤵PID:2700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:15⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:15⤵PID:7096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:15⤵PID:7368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:15⤵PID:7508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:15⤵PID:7672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:15⤵PID:7704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:15⤵PID:7876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:15⤵PID:8064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:15⤵PID:8140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:15⤵PID:6204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:15⤵PID:7580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:15⤵PID:8072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:15⤵PID:7812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:15⤵PID:8184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:15⤵PID:6420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7876 /prefetch:85⤵PID:5912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7876 /prefetch:85⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:15⤵PID:4192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:15⤵PID:732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:15⤵PID:2040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7500 /prefetch:85⤵PID:5468
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login4⤵PID:1412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd747185⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5550792225734076753,1685124743080624193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:35⤵PID:5516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5550792225734076753,1685124743080624193,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:25⤵PID:3280
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform4⤵PID:2736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd747185⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2300100849802714671,7517593101365197699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:25⤵PID:6268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2300100849802714671,7517593101365197699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:35⤵PID:6308
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login4⤵PID:1844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd747185⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,3763091579317280085,2886994263970768899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:35⤵PID:7144
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin4⤵PID:764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd747185⤵PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,13311691850316208750,15429520729105742813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:35⤵PID:6544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,13311691850316208750,15429520729105742813,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:25⤵PID:6352
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵PID:1400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd747185⤵PID:5312
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵PID:5836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x78,0x170,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd747185⤵PID:4132
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe3⤵
- Drops startup file
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:6176 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST4⤵
- DcRat
- Creates scheduled task(s)
PID:7080
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST4⤵
- DcRat
- Creates scheduled task(s)
PID:7772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 18204⤵
- Program crash
PID:8128
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7mX2az42.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7mX2az42.exe2⤵
- Executes dropped EXE
PID:6800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 10283⤵
- Program crash
PID:1932
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1992 -ip 19921⤵PID:1276
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:7220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:7208
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7500
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6176 -ip 61761⤵PID:4268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6800 -ip 68001⤵PID:7392
-
C:\Users\Admin\AppData\Roaming\gucdjgeC:\Users\Admin\AppData\Roaming\gucdjge1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6348 -
C:\Users\Admin\AppData\Roaming\gucdjgeC:\Users\Admin\AppData\Roaming\gucdjge2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1080
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2748
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ef2ab50a3d368243b8203ac219278a5d
SHA12d154d63c4371354ff607656a4d94bc3734658a9
SHA2562e2faf2873e0b8d58788da8603acdd772642a396fff661c4e32f8a581362cbdf
SHA5124533997bf4070f99306337b8ff553691d4cf1d1b53401628524ad4dc9d29bd0536a3f2df4ecdd0a8afa81b7f917f40524c9a1898b566ee499a358abc5c84b27a
-
Filesize
152B
MD516f2e3b53bcbb102e66ce976ddf51d21
SHA12d08df66868e7a63324fc49d8badcce608bd68e3
SHA256735cfaa43a4815a1aef46276a32d628ce5b1b7a4f57b316e7d51abc762b92653
SHA512bb567f8fa37c0b0a1447e247aef839c681a24e0861fcb2fc9ece89978cd6443cf2cd6d73b288b1cdd5ccd1851d3f10e2fcde896da8571e99102b1a9a14c9d524
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1f275724-e5f9-4afe-a9e3-e97b6eaf90aa.tmp
Filesize4KB
MD5873afee3119b877fec6a29dc875edd93
SHA18ab637f2114af539691e4ac8baaee5f04dda234a
SHA256b7b889cacbc75d04eee4dd9b9c1aac78cb76efd526b7c62c1b0aa5c06d9c87d9
SHA5127ebb430f0e75013594d4017063ad44c29d598a2dd0e1ffc3587c42fa37b6d8aaf7a5b60324471ebd63158e411300dc13ec0055269f5d876e052f863b917dfb11
-
Filesize
200KB
MD5b3ba9decc3bb52ed5cca8158e05928a9
SHA119d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA2568bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA51286a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529
-
Filesize
20KB
MD5923a543cc619ea568f91b723d9fb1ef0
SHA16f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555
-
Filesize
21KB
MD57d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA168f598c84936c9720c5ffd6685294f5c94000dff
SHA2566c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f
-
Filesize
33KB
MD5909324d9c20060e3e73a7b5ff1f19dd8
SHA1feea7790740db1e87419c8f5920859ea0234b76b
SHA256dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9
-
Filesize
190KB
MD5d55250dc737ef207ba326220fff903d1
SHA1cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA51213adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5c0fc43af3f6775b43c3508419a7d6731
SHA100b5a606d199e7ec0a33cf220bea315580545108
SHA256c25708b04b813e9d5c9bfcacad96c27abac23ff4067fd474cdf66580f84eb8d2
SHA512b253c29a6b6b56d5f9efb2fb0d5a97aa8a787213352cf452cb0ca5976486cc596dee06627bbd400fa93d4ca1622ebf1076690a5ddedbfa96b59bed3d4f52779a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5fade4a345ba7cf8e0a3d13d44f736637
SHA13cd2a91ca71f2800385c2b1f9e044ff489176763
SHA256c3409a95bce308fa8332158e75c0a06c8d5485a0e7ad5ac88125d86d26dd2acf
SHA51268c135eabdbc7c54b433a07d945e8b0fccdbd8d9826c18c797e14d5b051b1b575069180195492c3e392e446c0ae3e9886b4a3ec1e9b3632b31fbef89d038685d
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
3KB
MD558f9457599ab31d91e17a4b9e949eee5
SHA1b3caba40f0e364da0a80b704220fb43153133042
SHA2564eccd3ea676b8e301551bd02f28ff78f92793f88f6a4fd4f7ac9346907e84ba5
SHA512a5e29554bc7573d1599ea3e51e0c0bcd8865df95fb126f5f5bfb2467ceadba1da2aa11ab21ef0b01a245edf361ad1720983a7fd2cbbcade80dc64b91e02c041f
-
Filesize
5KB
MD5bd2c937a0bd6f6fef431c45c9f9f70a6
SHA19cc0d2f94e50c87c6544e981756f56da49683804
SHA256fbe63ff4383d29a5608badaa34b90841bd80177c7435a12af1747c8437bb46d8
SHA512594185fea4541939dca53237f39952e8ee96c58a31009b937afcc998e34fbe0eafe9d2ac9061e3145e89b503c815648648a68bb20babaa97f324dc19f2fdd862
-
Filesize
8KB
MD5fe98b2996beb858c705d3606acfa8183
SHA1b4f2d3a27910730bb43021d6a0d37c00ba5c29dd
SHA256a229114b09a580feb8a7dccd9a7ae338631c1748eecf8cf4bb832ec2e859d7b9
SHA512b47752d639574a3131b30ebcd7e106404bf56bdfc9521d4e2a8e61f1ff901194a7c921c81492bce8cc3e833b85fa6fe6ab2d526e222b6f376af8c6446ebd18d3
-
Filesize
8KB
MD5879c7e76c9513b1435d386a4f1472303
SHA12f9ea28dc94bfb83d9f3268ccc665129c3d8823d
SHA2567d16a8d3c24dee6f14d5e33070ba00cd0662c317a3416b20d5f298b68c8d4343
SHA5124ef80c84748985831794c0c1649ac430ae3b69aa44993628c0d9ee528be95191d845ac0afaaea8614c14a56871856ba824e0a91190f69f526ea811d0054d59b0
-
Filesize
9KB
MD55049b791567301b6fdf147f43ab92e61
SHA186d4bf745cd832f8554350de5efac2952c5abb74
SHA25620987044cedd4a06de919ae17b6e420c75d15a9e6787b09027ff9dbe041f7599
SHA512229da8ca6e54ba6ca870a0a4d81d48e6cd1b3afd0534bdb9073f0dedba7f6ff4b3eedd0947787c6138c76fdd11b45f7e7a14d7a0e24efddcf6521f646aad7ea3
-
Filesize
24KB
MD5bf38e67347aea6d520cda5fde321a1e5
SHA10e7a8def4c923201d76b41dfa9918bb1052827ea
SHA2560f0744f36e30e64949c41835aa5666f25c1ab4f3636d9247b8350fd8ad4f8025
SHA512f62478dd4e38c6bef2bfc24f46caa03840613711e2b6fda2aad707df5cbd33b25af4fc3954521e203b981c4a10e5c8fd2520cabc16cdad858eed819b45a6f366
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD55a23287e17020328644eeb777879fb7d
SHA19a9f3fa3ee71390774622e6cba700ad496257a03
SHA2561755d56e94c6f93ea0f05cfafa0f97dd4cbe7e99d5404fccf417211e8e3e0b7c
SHA51233e407030c719767a9d12796821974ff3529746967d52888e8c4b44de6278ca59c945adc871433edf1449eed1153ff6bebd23578f2f71f05c85bc2f0eee7729d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD5f349000ca3f25416aba6e73cd88f7fd3
SHA19a543b8e8af490253c5ce3a4092998104bbbb072
SHA25697fd4dd1b617d6b9ee381d3fbc44ff041e99302690e0eb5d5cdea0605d8d235c
SHA512cd25c7c8e3f60d5dd32c56fbc480ca4dd572ac39f6eac14fa60799a6ad131fe9f225c4c8bc69b95198a9926c9e8c23a1fb6e3fe89924fb756ddf432e2649d215
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp
Filesize82B
MD5f9efbc0a1a3e6f0b296e08c8dd39cd64
SHA1abdc090fe539ed15271e408f057a445fb9beef7b
SHA25650096eba3160c15840f56fe321329b2b7bd422d76de1e4a9092cf83dbad8ac51
SHA512416ed14f65cc740a2469cdce7a4723ec59954122ddb338ca54146de0bffedba6533312498b89e6147f9f13848bfdcee0460587623e5e50f90bae8fb1cee93830
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\313cad57-64e9-4bd2-a0e1-39060ddbc249\index-dir\the-real-index
Filesize6KB
MD58875a960b95627cb241e2fca32844932
SHA1e0554a198e27da79d29e6a2324b951f51aea939e
SHA256965b6248b5b4789087f8d93ef9dffae8ab8d2b1ee09f940e8b378a9d138b4cb9
SHA5126703c574603f74ed62a9908486a4fd22acd066098d30b2f07395cc6fe6a9102e07a18463800ca1b0224187d97e73a5e395ebda10090390b479f4ba5244c4ef66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\313cad57-64e9-4bd2-a0e1-39060ddbc249\index-dir\the-real-index~RFe591488.TMP
Filesize48B
MD5bb247aa39a4c9b789a6fb24b38b55cad
SHA10ddad99e34f5b660b03b6278cc801cb92164bdfb
SHA25644398e1f93e5acf7336da9aeb7e930b6afee2747281b1c466b8b5a9aa3e3269c
SHA512fc91b538c824a8ab17e912aca6b69493ba2782921a8c4ae1ede64bdd262bcf5e41be188d1a2196fda35bb82b8fe39bf388f3adf1fcc7445a42ab9d7c298f2f01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
Filesize83B
MD5ffa98f35e93bee0ef7c9ec796cecb7e7
SHA1b54d14dd72466318796a2a69df8052bcfc73b7b7
SHA256e1905aeb1f28dcf4edde44cee246baf723082ca4b5993bdb37c36be8058d73ce
SHA512b932cf8acc5997b4923a0cc626530b699573a197be78ba7dd248b3175c366b1b63c2c4e92e9f8e3297b4c203773967e24d82be2bd4f156db32fea079599e6768
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
Filesize79B
MD5480b5a8c8314a99ae08d04f418d6d8df
SHA1d3dd7b0bfa28a5a7cbb4229d021a41468f3e5de2
SHA256477cd5c4fd64389ba7101bf71b88552cb8dac439350d8334fabc920d2befe142
SHA512d6b17c592ff09f954def99763bb7bec86665e374b2b40c1dfd55bd694859814b4b4344ffc77b989062b3fe6206c2e82333414514b22da205983b1e8c50618ad9
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize120B
MD5a06cabfaff91ddd22428056626193f24
SHA1825db76c5ec4d7d78bf3ffaf2343daa1c65e961f
SHA2568ac7113568d4b8d79b7ac556e04100378881b22d4a4e7fb55006d5e31127159e
SHA51279786337026b7c0e9286f7e53dc0b38d7f0a1b436702ba03081c918267d7b6be9c263ec9bcc464e6aacc60fbffe8684976761ef1bf1bdb7e05d494dad33db7c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58f2b8.TMP
Filesize48B
MD565071ab6f24a5eabf803c54a77433177
SHA18cedd28cef5d7f4ff27dc40f2cf39ea07acf5ed6
SHA25649b73ba88f33f3453718923ecf684dcd4a0c330f996799b493998af14b2da8fc
SHA5120e5c36b818868d63fe1db759e46dc94ee2a96b9eda84827cafebd8709bbc3b2ccc2f52ecfc352130e4947985a5413203dbd0a3ca2f1a7e4489095ce582857cfa
-
Filesize
3KB
MD50ac259c4f162bd43564775eff4f2c0c4
SHA1575f23492bdee169a10a202ed49dc53b067a8ce1
SHA256d8ca798cad77b9679d7f521b459ff1fe78cdccdb79fa3b716d9e0e81576fda76
SHA5128c40fed53429eb92673c6a42a060d26d7e8dcc4b1bf17c3c4529e4e9af04453a1d3b3878e4bd874686529ce9652ab5c89ccdd31b62e72255290ff0e32b0840b8
-
Filesize
4KB
MD5db0db5b79003a5f1d675e22c6181588d
SHA1169059ef7a707b9cfbda45d61fda3c140ac38b14
SHA2569ac09123071930efd0f8bba69c3cdefe2a2aaa6ca90cdcaca04fc6f6125a518a
SHA5121307e865456cb720194512b9464ebf7ad06726b02ee3606fa58f9adc9a147963e3e6d2d1b55625a84e95286317d3a7698bb6cdafb49a801f64b45ce618a07a17
-
Filesize
4KB
MD5145a4bd531bfb7ca8f483a36e1c8263e
SHA1f2db238ca8550d04392ee0a7c1d04c0053658367
SHA256746146c1a6a85c22f403e95eba43e2053e7e10d4f7fd7d3821c88f9b5a7ca37c
SHA5120e1e379f286d7f72e569fd114a831be11731211aaa97b44170832711a8dc0f9dfad0a6a034050f8b893c8db31e03a4fda10c8165f8c0204c9d2896150a318f6c
-
Filesize
4KB
MD550727789b0e962937710739168b3089c
SHA1755716bd1bd93eeddb0df0047df7a6f0ff1dec6d
SHA25631e1cfa4453326aa89d4a3389b1657a30d21c8d55f2d4fb089add96c2da75f01
SHA5121b52f78bcde098e840ef601b00a6f6467774530f5b21a4e54c29b6352ac17de79a7840f35e17d2ff0965f8de55e339165d2dc778d64e7506fdf0ac4a46675548
-
Filesize
2KB
MD5ed8190877f30950ff120bd9f7a621410
SHA13a13b8ab385b763920a0a60b6b738632d7a1fdde
SHA256459af229641ae2a31305ee05403562bf40392352a71a57426945714667e55530
SHA51231602eec789459bc060d3b06c37e35f59660fad879a4cf16ed0cf95f44324c84c295ee786d1ad383355c1d2982e71de8fc511256f1d1fd4ba23c5cc1fdd6e24e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD5d5da6a68e569268fa360aa86df1da691
SHA188620c7f144764aa0f7f16956ae92fcec3e15635
SHA256b6e0b2fc73e32b89ff00e730be30cc4d9bee4cd7316f62d76250807300610b7f
SHA5127e2e811070e949921474e5d76107a5b4ce27b0ae54c80f948d9147d655f3edac571266393a0b99f0c8bd900f560e8cafb05cb2a21194f9e9e3b77b63713aff18
-
Filesize
2KB
MD58b3a2a187fb05ca2e41e7b4ce6e9aff0
SHA13c931b61d8e5bffce81c1c95bf761ee7621daf9f
SHA2565f3d00869d7f5a8d98b8e62e1f8fcf79fe21877535f3faf975d7fbcd9f29c130
SHA512000359146b87cdf9f432acc25299ed05f6de53912e38f972f4e2002c8075cb10a75209dc4ee71912578095976482dbe9b2f379c290a9b005bccf27a6ecb6bfd2
-
Filesize
2KB
MD5bc96ecb2b35d13512fc80c33c4fbd0b4
SHA1e360e58fa6eba698482d78d8b6b91473d35c98e8
SHA256ac271596e1f1df2848f0c5ac04f1968e802615611bf5c11ba73acfd8cb6075ca
SHA5124d5140272bd6db3c860585b51c19f068b7d99acfbec3a7de141daa6911a56b9cf68efd802aa7e5ef177aa7fc5d9a24d9855800723a157adbbacafddb238b1faf
-
Filesize
2KB
MD5fae532313b86d5299fcc9e4dcc909590
SHA1697ef446f9b62b987cd2e98496911a9b2cc12cd3
SHA256803850f2b439ed0139601ea748c1f2b93353fec2a9a9efebb63460618802d6d4
SHA51207616f0d6eb1b7fdddd279d00a1c17b2f0e7b2e8b70d4cce57cf1997542b910d99d9f100d4b513d3f74833eb3e3525b25410322eec12d5ebb44efd8049c941a3
-
Filesize
2KB
MD50013d549efc9f4ee70e7fc49da8eac12
SHA16cd8da38a709af62dbc739c39e31d1742b5c8868
SHA256e286d36fd3b1ddeb83e7e2847631e5308bf3769e9032f6c5e0596e09563937ca
SHA512498158b366658d338303e26549688bc7f9bce29f7e3083f3ab97c2e4ed9e1695b9cead929dca5eb9e808d70c43045a258c00355421fda65129d0bb184b90f921
-
Filesize
10KB
MD504c3558f9276d9c3d7769ead90acb21b
SHA11135f4eba6629e2775302537d8615d4267e89908
SHA256aa759c4ad98f812da40bd00524e00ce18da098e780afa7aa5bd79b77e735ae4a
SHA512cdd3a74da2ee35dde6b9b200dd765a5f3bc96da53e2897d0cd21f78dd4ee66399dc909d3e70a4ac5125503822bbe2854ed5b590a57c0776894e156dad7c619ed
-
Filesize
2KB
MD5e82c55cefd424b2dc19b22540124a9d9
SHA1cfb54b32a46e8a9dab3374edbbb56272ca6ff2a7
SHA256c7921a8e160fa1c72488a64b6193a1ffa14e423d6b94414abe19b88aa07c6264
SHA5123fe72e76388a0cf5aca2811865c6ea0ad3b00d9ffc4a114a758dd4187466be14d66a92fc66e34dd424167614e0527b27c0237c781e6d6c5087d8ff20677061e0
-
Filesize
2KB
MD5137e24d7afd90068bbc2ea166bdb058c
SHA1503544674913da9f28bd448e4058bbf86a73e644
SHA256816120ab623944eed660787b9986c24ac462be30fc2d612bb164d043c1457521
SHA5127125ac809eda48074f240bffa35555af24d6abbab311a7d41880caa39f808317b2ec2276c1f5368faa194e9d7a29655db97867449a9d9debdd9ad9460d5ec39a
-
Filesize
1.5MB
MD5ecb468882ee533e521a9df36ad3eacf1
SHA1a1fea7ca6d1f65458a9f8464377d43f1f26bb947
SHA25687a0bf17ab7b79d832c520aae117ea3cb6f141b84a7035099664ac8148a4626f
SHA5121a157b18084c6e7d0cd4801d71080aba5971ddb02fdacefc05f11b28124c2fddb09bf1766f25d2d6c3b778bf66ebdc806b14c96bb6883041b5fad4e8623bade5
-
Filesize
768KB
MD5d6709cc2adb09d6ff003d52ece25c894
SHA11f5b110ab3549efac240ff309bbcb934c26a072a
SHA256fb5c249e2a353691a022f786fabcdc80037824e1f018ddb01d2a5f68c62e2167
SHA5129501a3818f7e478f546438582a654592bc2c541cdb7d1b54dfb931672a6da74b5e0c3b6a9ee5080dd604762bdb7be3222c931223acc7c79c51b3b06ea72e002d
-
Filesize
257KB
MD5e1db58927595887f3528ccd12a9b3139
SHA1ddddbc9ba3112f0bdcbe0e6fa75bcfb74c68f1cb
SHA2569ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35
SHA5124809cd07c8847e2d3812f75a97526fc2f32703b3f8b3dc0b60b3335432e595031147a8245913ba731c2996acaa0a93aae255e29a729870eb9a4eee9710d9f6a7
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
1.1MB
MD5e01a2c4142fc339884e60b819b52ff9e
SHA1f75821ea099c26b7b1e933787b2e0795fe70e89e
SHA256ac29d44852bcc1f12d6fc777e6958705d40406ef36b91cf3426017845805bfba
SHA51240d8e21da5b544b2782e8f1e1a3f458424b541a7474f7893f1c11ea1266fd0a1888b1d4e4868e9e7070ee1f5fee311cf4571bcc7cd86401186b4adba5c4679c5
-
Filesize
898KB
MD5589e67e5be95d38137707eab421a98f9
SHA1d89e115d57920a0f037b34181ed824589609c302
SHA256844c5a77852461e53bc1f57f5226ec0c0f124ce780c7467d0b5d9e88edb45e8c
SHA512458b250cfcdeebb378fc198d1dc709daac6ed2c33d3f2f70d03dd4da32be45ef727b47512c791aba29c7b8aed4f0738371723bc8f7673097c5b6f858eab40c72
-
Filesize
1.6MB
MD5f8e7488fd4ced59d6eb387447bc37430
SHA1560ed0a592273875ae66a93efd611f76a9da7ee7
SHA25630d11b5bd1ed2f376bb2c6dd47299a54702bf9cfdfc0d32e5f50c1adf83ae347
SHA5120e7445eb71a24e10c13a706189cc972d9d590bbd456f27b4008243161868fc6b0e86fd8fadf42f61502aa913f39e2a3fedb7de236b80a2bff05378b7ade6cdb2
-
Filesize
4KB
MD5df3ae2dbdbafe7f4eb0fbd8cb7b993d8
SHA1ed3410f4271a4af92168cba045d2218ed4bb9306
SHA2564e2bdcf3461b9c798ebddc008f1425ede36bf1e60b1b379e35c7b44d8c238193
SHA51256e902f1e671ff2d07ddd979ee159407dce8995f05d5dd936dc5dd8e86d6a8fa5bf2adc7a06e0c6708be891486f507c1a6f80b2882ddd6da00b821feff63e08f
-
Filesize
92KB
MD515b15858232eb73939154fa51070f7d9
SHA1c5d442be8afd48c12f3e10324d74c274ebad25d8
SHA256415b5d95ff3e636716deaa385106694fcc257f82be4fe831fdaed420bba50cf2
SHA5128477c2a94ecbecff9d79d3f73713d568ab29260cd51397f54939629531aa84eeaaffc742bef744da071718b597b15e8870c547cf1dfeb122686bb9e59a7dfd86
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84