Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
31/03/2024, 14:49
240331-r687xsec77 1029/03/2024, 09:29
240329-lf9swaeg87 1029/03/2024, 08:58
240329-kw8ebaed26 1029/03/2024, 08:57
240329-kwtadsed22 1029/03/2024, 08:49
240329-krew7sec34 10Analysis
-
max time kernel
372s -
max time network
408s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/03/2024, 08:49
Behavioral task
behavioral1
Sample
antivirus.exe
Resource
win11-20240221-en
General
-
Target
antivirus.exe
-
Size
144KB
-
MD5
4016477fd044882c78f3c1a47d7322e1
-
SHA1
6c75ffa25ef2d1d6a658ff415b2e47964032fc6a
-
SHA256
fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633
-
SHA512
17706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1
-
SSDEEP
3072:xokEUyr9ql5n3yU6S4M5Er8zwIMsoE0WNOBKHAHp+FBZ+:er9ql53y04QEwzh0FaAHQLZ
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/memory/2388-0-0x00000000007B0000-0x00000000007DA000-memory.dmp family_chaos behavioral1/files/0x00080000000277b9-6.dat family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3792 bcdedit.exe 4928 bcdedit.exe -
pid Process 1400 wbadmin.exe -
Drops startup file 9 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\hahaha.txt taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.4z0z Decrypter.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url Decrypter.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hahaha.txt svchost.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.4z0z taskmgr.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url taskmgr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hahaha.txt Decrypter.exe -
Executes dropped EXE 1 IoCs
pid Process 2380 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 36 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3852399462-405385529-394778097-1000\desktop.ini Decrypter.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3852399462-405385529-394778097-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haqhfswle.jpg" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e3bwknwse.jpg" Decrypter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1996 vssadmin.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings explorer.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2404 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2380 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2388 antivirus.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 2380 svchost.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 3756 Decrypter.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
description pid Process Token: SeDebugPrivilege 2388 antivirus.exe Token: SeDebugPrivilege 2380 svchost.exe Token: SeBackupPrivilege 1528 vssvc.exe Token: SeRestorePrivilege 1528 vssvc.exe Token: SeAuditPrivilege 1528 vssvc.exe Token: SeIncreaseQuotaPrivilege 5116 WMIC.exe Token: SeSecurityPrivilege 5116 WMIC.exe Token: SeTakeOwnershipPrivilege 5116 WMIC.exe Token: SeLoadDriverPrivilege 5116 WMIC.exe Token: SeSystemProfilePrivilege 5116 WMIC.exe Token: SeSystemtimePrivilege 5116 WMIC.exe Token: SeProfSingleProcessPrivilege 5116 WMIC.exe Token: SeIncBasePriorityPrivilege 5116 WMIC.exe Token: SeCreatePagefilePrivilege 5116 WMIC.exe Token: SeBackupPrivilege 5116 WMIC.exe Token: SeRestorePrivilege 5116 WMIC.exe Token: SeShutdownPrivilege 5116 WMIC.exe Token: SeDebugPrivilege 5116 WMIC.exe Token: SeSystemEnvironmentPrivilege 5116 WMIC.exe Token: SeRemoteShutdownPrivilege 5116 WMIC.exe Token: SeUndockPrivilege 5116 WMIC.exe Token: SeManageVolumePrivilege 5116 WMIC.exe Token: 33 5116 WMIC.exe Token: 34 5116 WMIC.exe Token: 35 5116 WMIC.exe Token: 36 5116 WMIC.exe Token: SeIncreaseQuotaPrivilege 5116 WMIC.exe Token: SeSecurityPrivilege 5116 WMIC.exe Token: SeTakeOwnershipPrivilege 5116 WMIC.exe Token: SeLoadDriverPrivilege 5116 WMIC.exe Token: SeSystemProfilePrivilege 5116 WMIC.exe Token: SeSystemtimePrivilege 5116 WMIC.exe Token: SeProfSingleProcessPrivilege 5116 WMIC.exe Token: SeIncBasePriorityPrivilege 5116 WMIC.exe Token: SeCreatePagefilePrivilege 5116 WMIC.exe Token: SeBackupPrivilege 5116 WMIC.exe Token: SeRestorePrivilege 5116 WMIC.exe Token: SeShutdownPrivilege 5116 WMIC.exe Token: SeDebugPrivilege 5116 WMIC.exe Token: SeSystemEnvironmentPrivilege 5116 WMIC.exe Token: SeRemoteShutdownPrivilege 5116 WMIC.exe Token: SeUndockPrivilege 5116 WMIC.exe Token: SeManageVolumePrivilege 5116 WMIC.exe Token: 33 5116 WMIC.exe Token: 34 5116 WMIC.exe Token: 35 5116 WMIC.exe Token: 36 5116 WMIC.exe Token: SeBackupPrivilege 3236 wbengine.exe Token: SeRestorePrivilege 3236 wbengine.exe Token: SeSecurityPrivilege 3236 wbengine.exe Token: SeDebugPrivilege 724 taskmgr.exe Token: SeSystemProfilePrivilege 724 taskmgr.exe Token: SeCreateGlobalPrivilege 724 taskmgr.exe Token: 33 724 taskmgr.exe Token: SeIncBasePriorityPrivilege 724 taskmgr.exe Token: SeDebugPrivilege 3756 Decrypter.exe Token: SeDebugPrivilege 3372 firefox.exe Token: SeDebugPrivilege 3372 firefox.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 3372 firefox.exe 3372 firefox.exe 3372 firefox.exe 3372 firefox.exe -
Suspicious use of SendNotifyMessage 46 IoCs
pid Process 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 724 taskmgr.exe 3372 firefox.exe 3372 firefox.exe 3372 firefox.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1704 OpenWith.exe 2604 OpenWith.exe 3992 OpenWith.exe 3372 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2380 2388 antivirus.exe 80 PID 2388 wrote to memory of 2380 2388 antivirus.exe 80 PID 2380 wrote to memory of 132 2380 svchost.exe 82 PID 2380 wrote to memory of 132 2380 svchost.exe 82 PID 132 wrote to memory of 1996 132 cmd.exe 84 PID 132 wrote to memory of 1996 132 cmd.exe 84 PID 132 wrote to memory of 5116 132 cmd.exe 87 PID 132 wrote to memory of 5116 132 cmd.exe 87 PID 2380 wrote to memory of 4060 2380 svchost.exe 90 PID 2380 wrote to memory of 4060 2380 svchost.exe 90 PID 4060 wrote to memory of 3792 4060 cmd.exe 92 PID 4060 wrote to memory of 3792 4060 cmd.exe 92 PID 4060 wrote to memory of 4928 4060 cmd.exe 93 PID 4060 wrote to memory of 4928 4060 cmd.exe 93 PID 2380 wrote to memory of 4872 2380 svchost.exe 94 PID 2380 wrote to memory of 4872 2380 svchost.exe 94 PID 4872 wrote to memory of 1400 4872 cmd.exe 96 PID 4872 wrote to memory of 1400 4872 cmd.exe 96 PID 2380 wrote to memory of 2404 2380 svchost.exe 100 PID 2380 wrote to memory of 2404 2380 svchost.exe 100 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3152 wrote to memory of 3372 3152 firefox.exe 126 PID 3372 wrote to memory of 1880 3372 firefox.exe 127 PID 3372 wrote to memory of 1880 3372 firefox.exe 127 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 PID 3372 wrote to memory of 3012 3372 firefox.exe 128 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\antivirus.exe"C:\Users\Admin\AppData\Local\Temp\antivirus.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:132 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1996
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3792
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1400
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\hahaha.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2404
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1328
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4424
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1704
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2604
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3992
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}1⤵PID:796
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
PID:3604
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2784
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:1012
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:724
-
C:\Users\Admin\Desktop\decryptor-decrypter\Decrypter.exe"C:\Users\Admin\Desktop\decryptor-decrypter\Decrypter.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\CompareExit.vbs"1⤵PID:3772
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.0.1722399989\408492447" -parentBuildID 20221007134813 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73664fb4-8085-4033-b26e-762b2ec848dd} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 1892 22509aedb58 gpu3⤵PID:1880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.1.5039792\2000528005" -parentBuildID 20221007134813 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6306399d-af12-4881-8368-1e8876937a55} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 2264 22509a03258 socket3⤵PID:3012
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.2.1066167726\1543510774" -childID 1 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64d81c09-a7c6-4d8a-9210-c35b745755a9} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 3380 22509a59c58 tab3⤵PID:1116
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.3.1137703865\1357497206" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 3100 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {307df162-0315-48a3-818e-1118a78ca09e} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 3792 2250d7ba258 tab3⤵PID:2552
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.4.763257778\120000477" -childID 3 -isForBrowser -prefsHandle 3964 -prefMapHandle 3968 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3e7832b-a929-42c0-b3f8-5302639cded6} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 4844 2250d750658 tab3⤵PID:1352
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.5.759841763\1950709230" -childID 4 -isForBrowser -prefsHandle 4964 -prefMapHandle 4672 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89603fad-c386-4c3f-bfda-73714bd1d656} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 4948 2250f719e58 tab3⤵PID:1512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.6.1680988422\223622494" -childID 5 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {909d0afe-3823-4899-9290-e71ff0f672aa} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 5180 2250f71a458 tab3⤵PID:3972
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.7.1022729885\1779676263" -childID 6 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19d6d4ac-54bb-4fa0-b15a-3f5b18d8cb6c} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 5456 2250f71a758 tab3⤵PID:436
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\cache2\entries\A72798DEF4F924983D5A0DB82D383C613B515FF2
Filesize13KB
MD523798a67535363f871f955986e6fd6cd
SHA17824e96c03e777c541ab897c7bb29bdf3752d4ad
SHA25622bf3fa0cd04b96b98b853116d52b66391ad4aec0dcb5f06411c6fcb9b207f9d
SHA5125bde700a07746bd164dac2ae4127a0c62f019e9a29b400c37af03c45e42afaa1f2119156f22da8883dc578257928882843935a3694f702f128f39125fbe6075c
-
Filesize
53B
MD54bdef3f72a5eba62ea4feba80e30e373
SHA1900c79d35982e5c1cf45b32aaa664cba8a10bd38
SHA256203678fb2c25bc9cb5263a1687aeda814b88489db8ad00389d5e489f3f3621a5
SHA512c3fd088a5d2312364c11cc428d2fd2ef17f3a3a61194c27eeadb5d81d6762eb226acfd156f171612d7a86a4aaf673b6be7866e9d62343781f6277badbec96c0a
-
Filesize
1KB
MD5fe81920405e89473fb0c16155aabec04
SHA1551dd434c6de3840b7442ee30efb5333cf74cbf9
SHA256bb25cdab78eeb57277ad4d2d82b2aae9b49ad82edf188d4b335c8bd1deb779ca
SHA512f8313f5fdfcdb3df3a998c32e82a104c987a34ad02c48d3abab2f52e4b120d160403f3e30a38673c04b017a6815e594821e59f586c4d105453847f4bca6d5e94
-
Filesize
13KB
MD59e9e06bf461f036de43aee3343e501f0
SHA1e03f1560506ce88cce404029bff7ed66b156e9a4
SHA25605854a2b93d670a26ca2244fa2a5d23ccf25ca1c7e2036ef4f8ca5a02e65da68
SHA5120daa1a19b3b05d44366afe85561c162f2c796b4a898a04c96426618153b7b66b88be868474fca280b3eb49a32d9d02d5fab70bef2978dcde610ffb20b888dc58
-
Filesize
94KB
MD53daa9ca83e7068dae25f6062403404b7
SHA199db4e7faaeef72fa6ac6b4e393e7083ad8d4c3f
SHA2569bb0bc9ab86b77529ba27c28248bc32c8b928819bb8e7f3d21ea212bf33e0f38
SHA51244c496dde6e30bdf691c54d042f855ae2decaa5529eb080aa35645cfb2b0f1822e29604564a7998c9328589a3c2cd998cbf957e754fead916f7389dce6e302a2
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221165343.log
Filesize15KB
MD5098985bf0dd8494048a341ec08f2a51b
SHA189db3c13492a66a48855517bacdb2be6770ff1ab
SHA256f857ba1a364f56f563617b065bf52c925ce15433196f59da67c0ff300fd5e8bb
SHA5128e9398bee3d16a8c02a676d07f176c4a6a3c639915d5f2ec7501c5e10019ed08504740b580fafc6ae3d68be257130bbacf36ecc0766cb4465b9a29abd8dd3ba5
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221165343_000_dotnet_runtime_6.0.25_win_x64.msi.log
Filesize551KB
MD5ab7d85e8d604ee313825bd2a080997e0
SHA127476bda106aa0f890effaf1a7db707cfcaa9676
SHA2564f9c41167899557f76fddde70713ca5a4e607485e24f0603c348d62e2f7bea65
SHA5125b440b24c942b85fde3153251ba3e2430450c6001a7b9cd56ba4770618627ec4f66d8f21f65dd227e86e5766f35192fe6ff2a3b62af5cb9911ad284f1b0471ce
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221165343_001_dotnet_hostfxr_6.0.25_win_x64.msi.log
Filesize95KB
MD539ae573560abe3bbeebaec4d42ac83ff
SHA1e86628b379fddcff1a0fd322d74b86647fc25df6
SHA256e80f6b0e1faf16d478348f6f5cac05ed6c1c48177a65c18df52f5e4c7fa75e11
SHA51259770841e232879610028f51e5443e22fd41aa64f1f81d0180ef2831161b90a5540d3c7d769edce18f50851cb0a3777192df58eaa26f90ae621ba898ee43c2cb
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221165343_002_dotnet_host_6.0.25_win_x64.msi.log
Filesize105KB
MD58bc33ae945ef51b68e36854fae703a93
SHA1c7f47ab96369b1ab7fe7d9f67adb259fd1328136
SHA25618665b227b94362cafe2231271f82b6abe21b7de53191cc0d38a6621f2d5d9b0
SHA5123bc0d4be1238e5b198ae97c24d75ede23d3ce552db7469569e983ea6db9e9ea80ef9a97313be6c1a10a09d4dc641eda2ea5119f3134b3a0d59ce527c5e937be9
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221165343_003_windowsdesktop_runtime_6.0.25_win_x64.msi.log
Filesize849KB
MD558edf6ba6f2b133a45158751ff55f51e
SHA10b8f199cfcd5aaa325fbf3acaee32513402a3013
SHA25673e3b57d0bb4d3ba0c63d63337b4f84752b16686002926088eb7e70b4990b8d8
SHA512db640d3ed10efaa0606f6773b55a5b023ebc08996d8aa56ee7d04439de1a4a581aed35666c41554a38426e723e380e9f0e1ea81f6a07bb9ef872bd42909aa2ab
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240221165420.log
Filesize15KB
MD53fb56eec599461705bf837172bbe526a
SHA1067139b5b350226b6a915e582f74587653489a13
SHA256fb24bb1080cf5fc82945c4baed7265f28a8102258a613fbc53ccbcb89fcc6957
SHA512b0c1bee035be42858b12b48e4501f86f1a28ec76b60adb15f79a6ec63933000e9d8bef42cda311689b7bca6c9c771812a7aad69a2246811dd6eba98a24ff749b
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240221165420_000_dotnet_runtime_8.0.0_win_x64.msi.log
Filesize469KB
MD5bc8d207ac90a7318613c78334c5fa445
SHA1c6274fa5672f90d4faff3b083b8f18dd0e9c581e
SHA25639a50497483dad4f42feb2e18b54459a352980fabfb649e9ac3d7616f8ecea72
SHA512049b29cc25f2e56b2e801a7b04282d49638dadd5321128748bce7122771149b123b7efd22c36d00080b36490b269954b965b6b549d2c48485ac7b752d23c9ea1
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240221165420_001_dotnet_hostfxr_8.0.0_win_x64.msi.log
Filesize95KB
MD571da55d66441092baa662fb6c0fd5c6b
SHA1d32efc6694afe866749600f1de8aa35523204036
SHA256b3e092419eb7af3d8bd0ca89f3af19c6073adbb8fa1260c1cf0149bf3e576e57
SHA51279b2d6fe1bf23df79c8c6d3c54d9b88bf73de20743a3fcf3a22d3e732e6a220dc6e6134f91fe9c1499f71cf001936da9da5ee0ede114a6a16835d78550cba7e0
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240221165420_002_dotnet_host_8.0.0_win_x64.msi.log
Filesize109KB
MD5e0c6984ad92cd0e5f876386515f50520
SHA16c326d8acba56ebe6efa6d4c7e3be2aad7baf149
SHA256a590d9f6a6b454d45ac1a2608222c29473aa1ff5584df5bec479101ffe0c2a2d
SHA512227f2c7fd2b6e95168a8d8ece9e79d97ec3571e7da190b799fe2ffeef406ee9c883bdb752a48cdae4f80e5ee5c3497023e6aaa0afa1688e973cc4996148d94de
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240221165420_003_windowsdesktop_runtime_8.0.0_win_x64.msi.log
Filesize847KB
MD5b4337d7f4dd50d479c3a3c3f85b57139
SHA1d3513710bbfadfe20f37308b5d033ef63315f4b2
SHA256d465bdb15ed68a7b80c52bbc2a5cefa455ffa4ccb351f236cf7324951fb42f9e
SHA5128e95cad6f202784cd30db83c5e31b7232fca80d66bef44a5f8e697fb00e33926541517531532a6f5660e02910f2be0e170740c0d3b2c669a6e78eb2ed5f9e4bf
-
Filesize
57KB
MD5d2b595f800227240946a4299741150b1
SHA1a3879e37cd5b9e7f02692577697833d830a8336a
SHA2568e6f10b4b0b99a6f5f7a1c1061e3670b06b01bfe3656f9459eb5bf79ff24b525
SHA5128764ed62c694fea5ac0f8f02308bd7f3b296b9baa53651b4a91e0946b1b2f529dc0834d2af1390b8980a3c39cd924a9efd0c33ea01d2cddc366623d70a682c32
-
Filesize
184KB
MD57d4952b9d5d7aced3c4a0f9f15236300
SHA1f901404ac5cd8cfab394c93200871f7d7ca8c06f
SHA256b483a2a3284076c2da60c794aa5b0f300fc24d79954b3c0b49f958e9b71bff82
SHA5128e82fe4322b6eeca1c96423a075ceb07305f0cf9c69530f387de49a4c855ac4feab0c401b541f8bd1309be5d928b9a8bdea6f4f51841bd205df7e41069c290b1
-
Filesize
470B
MD548f8aa137b6cc9f9e1474b3e798942bf
SHA163d52ed3057b045d709f1b504cbb400481709556
SHA2564f7421ef5aa75c3007b1a7546458950c07a9881a4f735f3cdd729ae4df66b29d
SHA51211adf7d397ad8cd53b9b2985f69888b27784b877a64a654438c62aa743fa2bcd5d6822e870f6b56e10d65f66da7210597855c1b02344dcd8e5ec881ddba0284a
-
Filesize
6KB
MD50aebe2ee1336cb8e6c6a8077721061d7
SHA11bc1cd1a8535f880dba4bf6c9558631e4658b90d
SHA256d4ed13de2bdb32de3553982147193d49b5e05408cbf5dafe85bd30d6fc461545
SHA5128d948b0f4b850ec20ef9fef860064154319a89cf95becd2a62b349230833869629749d6952118e2f20e38d1d637eb26db675333a699dce7ac1378c6a90fd9520
-
Filesize
1KB
MD54131d605a83a74b3219cdbea3ecb9d6c
SHA1795cabd582478a2be61df32b301052fd690e8587
SHA256b5036fa8a37713e69ee5936d77498e69273bac9e37c3058493af7d7b83b7f987
SHA512c961a62fb1b0742a23e028cb1268c4646d8d4e5b89a5ef28241182e2c8b4153beb114330f8b78e36433f6a632277c812ac5af0021445d3b52e13d1f8d0b81905
-
Filesize
427KB
MD5f4a4c8a3a78400e51fcd43be2af9357d
SHA16d289e4c5bab93d799128660dd040e75a7e10b44
SHA2568707aa473acfff29a1330273b572e6e80ce15828e37d05c5b870885180228680
SHA512d3d96e8ca4474909f2f73133ba027910ce223730a3b0e43e6a5f14ab72a94ed0fe351d1098c5e7c4d9af046547558cfda1a974a14508056619e1215fdf0f6981
-
Filesize
415KB
MD50de7b7824afc5c4d25e6a104f4127638
SHA1d6061203019c78ffa3dbbbd0dac97013ced1f320
SHA256e2c71735002c8948c145565f29c8e8233206ec8699d4d0d0271366b06b75442e
SHA5120255459e4e2b8a9f391f95454143e6c19d8786d068d8601fe4b8982684ddc0e2b803bde10d949596497b1fb8d7035ba4bc2a2b17cd3132b50a22bec792a09861
-
Filesize
11KB
MD5360dd201ef97b4dd8f146fa4a8a44ecf
SHA1fe77de6ac8ad88ad5f5b947d28298349ce562211
SHA2569ffca95b9b58d53574b494264bdf16a444dab23c73365166d59dd980010217a0
SHA5125a6f58f39f9f93db81e6c364318dbde2768ca92e0f47481535c42238954fa1b939b363c264783d57e557b85b435062e7d29bf346144215c4dfbf68f5f72ff9a6
-
Filesize
11KB
MD5cb09af13003bf948b9c2622022078bb3
SHA173d56e5b4124e4bcb015cafb14c9829497bc805c
SHA2561c4857df09222e50dc9e05de3a2b4521284bcf77e4fc14fc7d29d35a079ddf7a
SHA5129d39497253d02ce4bbba5fc37d5d13b26cf264a6d52dfea87e098346bebc04b6e5eb83524fd9b4a9d74e7dfc5bf7862316612d0399cac5009657a954405777fe
-
Filesize
46KB
MD5287bc47f9ad0a559fb0d88ee32447c96
SHA1c32c7cc1604d9bcdc09065c4589cf3c60ac92acd
SHA256e499873a9cfa83012bf8248fc1bfe6d355c4e286f7f2efb072b9da5b5451d738
SHA51251308237be289df669573505c67a869e3957b5920f2216147ca512dcced1c9f8c6af67b1f97d85e343d287f144e207f5933a8294c00f8eb022d9680efb690640
-
Filesize
13B
MD5b2a4bc176e9f29b0c439ef9a53a62a1a
SHA11ae520cbbf7e14af867232784194366b3d1c3f34
SHA2567b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73
SHA512e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f
-
Filesize
153KB
MD510cff7fb6d3b83b13ea1ed0675af7670
SHA12a1c38f8a94b7713e6ba1d37fc6b8aacbfa5d0c8
SHA256264b54124b93d7bc68e27dcd37bbadaf1a6b2255ed20e1e8dc9fb544849116f1
SHA512318bc9c85bcfa11412e5056398ffe47e0d0572c8254f6f6d7fece7421e4d057d36a3b21b7538ca48ce974e45de81e6e2283e78c6df9bccfc11f9f27584e3b760
-
Filesize
2KB
MD552430a4f764dd5eea27446289e4cb34f
SHA1c43afe31fa466987b72bef8394fd7fefe7e1cc68
SHA2561d9efc8ffdb4002b56424297620fc2280234e26863a29ffcfc7fe13143eef82a
SHA512251fb4e5bccbcdf3cfd4f2974a2b4cba33d2d3936962a5bbdb498f187270793aaed25c1681146a3fa4d243eb119f221b3241f0777f15730e76ca1ac7f929ea8c
-
Filesize
33.1MB
MD5162e0458395e973b8ec1894a050bc4a0
SHA128ad9acf285eeb849542baa6b7407e4a243bb33d
SHA2563a6924971813e9cc3e1da01e150add8532de225ee25d618a080df847b64142b0
SHA5124ae46bf949c4c40ddaa339ec7cd4b14d5a9479ffd4bbd6fe0edf013861dbf3b96d5a44e6b47aa2d95c6bd87c62932c62c3cee9009d7dee5b4c09ebbcfbb06957
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
Filesize
40.2MB
MD5fb4aa59c92c9b3263eb07e07b91568b5
SHA16071a3e3c4338b90d892a8416b6a92fbfe25bb67
SHA256e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9
SHA51260aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace
-
Filesize
693B
MD58c525575bf86d12b50136cfa3e728f1f
SHA151957d5d317262ca8f89dac17c6e48d9b2ca6375
SHA256ca9022f29a57eb5a2fbaa7f340a36645b39fcf856f9edf1c83c111c32793ccf3
SHA5122e1a58a795bb565e37a92808017c85c095d7dececbcc76b76d376746023d59b98a2b8c4d9a9a0325ba672858366feb10ba50acff3fe7796ffff3c62d62a1d779
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5a92c4cedeefd68d5143e77038c589ed6
SHA1874b14cee662b4f78bc8bea5ba374010710acab3
SHA2561277d4660850da7aae195ea807686e0e2d28685c5bf9682cad0caf6fcf5a7d0c
SHA5125dde25955a07ebc064eebfec20e0d7e000729746edc06d9a42e7af1604b67cc855b911d7ede37fb1eb11c7f2cf7ee4b51350570e658c23da203651c737c0f8ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\datareporting\glean\pending_pings\100a50bd-ecde-4bea-b426-7f5112e0b2f4
Filesize746B
MD5e5e810abf4684e8c2309e4a4aaa2b470
SHA129c3e8633a855bd79690de7711a2a18878fa5593
SHA25651ce48567cbfd7cea737f12ed8ed4eafa257734737face9d3cb8b961c621f90d
SHA512d909454b1f6b85550a0862e99ee0c16ff5fffb58672fe292ac18dc21226c8cc693cef994555453b1a4991e25f6f54a46ae275b5261739797811f639b7817aadb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\datareporting\glean\pending_pings\78314dc1-5e53-4909-95e8-01d706050a9e
Filesize12KB
MD5b40d2a57dfe0f8d553a94b061f5c4d5b
SHA134c96fa2950eb638eb0cd07cfcf76245d1dda194
SHA2561f236e7c5ffa96cfc3ad302412e299d7da41f0b5f9e765d7593bab6a30d281d8
SHA512fa59ab9104fe656fa7818e914b988c74b28f036d90637d88cf667a6370fc8700716ae12b2a843192bb50879c23cc5cb30144444c7991595c8cf60cf8def8446a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
7KB
MD541f588bd117dc42121b8d307607469ef
SHA1840909024d78a42e8d87df119bfc83f77f05f3c0
SHA2567bbd1013adcb5f7db96243194c6648c6032e61c5fae573eac23991cc069d6a10
SHA512b0716cd41e2a7546b7db840da24c20363ece13d9ae208f4c8a3fa0cdfaf079d69a185c5d9883bacda1a641019ff5e918aea8f8e889483fdb56c0be78fc462ae1
-
Filesize
9KB
MD5d59a1164a4501aacd5b4489b804b8c8d
SHA1d162226b93ec3b19f92233c3df9756b5456a7533
SHA2567ec094a9a460792aa302b990a667e75ecca369e49dfc4aad100e61797c1e25b9
SHA5121dfe6c343601f9521094bf2487878be7089c5b8d8754cc657a6a52dd704fbd1306fbaf6ea4f8832d64ef1566d68b2346b7fa38099d4772bc21e8276a1fdde810
-
Filesize
6KB
MD582db05f6e9bc17fb90b7d50aec53e709
SHA183644fd5c04e6014cc25996dae7f4438e149ca72
SHA25606311e44bdd6760332c1cb2235d61de4eff9a3c3d766be0bc3d25d479f2c0b93
SHA5120089df882585cf222474110119aa471068f58210b01ab03ae8525db473af44d4cada0114539c41de52bb77ad065e76d9377faf06fe563319372f0136a703ba20
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5ce7f19f2da9c64ea519478c92f8675c8
SHA1c1ae66106cce28299a68a4b0784bee99fabe5992
SHA25624745d2205e3bde0201a1458913aeb7fed948527dcfaf477b15019dc2ac88430
SHA5126e44f6c2b64c3ebac5997be703b4180feaf846359a65049703e4dc5b743ba19e21378660d60abb721fab9a384664857944a7d37b62e958cc19f0b58bb7ee82f1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5b36cb9aa6187e4955f42dc5d1b28d868
SHA1b37c868921912af88ebbe63ea3940514aa3ba5f8
SHA25626b29d4c12fe311b9ac744ca647fea3e1718564efd8f03a01731f4fd63c6be70
SHA5129c7188a9d81e5b4bda803f3b0edb5669512132f89d0cfdae865e2407d9331f38512904ec43370a30ac7d4979b8e99ed098ecbbb758e5f15fd43b7f50879d480c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD53bc304e26bb0fdad8f1ddbda44e4c44d
SHA104faaaee12edaece08bbf4c3d35b81e0a95b4b1c
SHA256016f80903e0a30fee70a76b92da19fc2bd2d8629d6fc3d0024b832c29b1f6ddf
SHA512302a383b49b5f0a20e1de9d951f9461d2a62eb12f4704344830352373fe6f98f9445ff07df03a36066966a9d7ac804010767cc9022e60f85729a0c5ac940a851
-
Filesize
144KB
MD54016477fd044882c78f3c1a47d7322e1
SHA16c75ffa25ef2d1d6a658ff415b2e47964032fc6a
SHA256fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633
SHA51217706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1
-
Filesize
63B
MD545dfa78907ccd5154a672941b7fd7805
SHA1c96e039c5d260e3fc61d65da6718d3a832a182fd
SHA2567d6a89c0a71eb6607c0f9226cbdbc241a154a49e463e599ea8ff126c161ad6af
SHA51245b88dc885c14920f7e309566475c1c0d35b43dfade79ae951d41b422a4cba511f36b6305f0fde21af780399929f529661e1e9f1bcf0190e2b73472ed9950f2b
-
Filesize
379KB
MD5954c3da764a298aca2ed0f13231dc63f
SHA1dedea29aa4ff99d3a46c9d4a1423f2d57ee73b98
SHA2566e97cbc3e212f201f0c54a23e916a39bd74456de67bad336bfdadfd0ac26eb96
SHA512c52bb97940eb5cba7aafc00295b490fc967d77a8246bde6e112a0b408857348814b161ad8d6cfcc1cb48754a7d21f5c72d3d2b17e7a8abf76a25beec8723f47c
-
Filesize
85KB
MD558edb7e9ce36615ee65e4113562bfc0b
SHA1bb0196d7789ef7a682000916574d5bcb63103948
SHA256428cff9c42e862f1df2b3b108538a54a3d0146d514fdc5fd67156a0f4fa45dbc
SHA5129874e2ee7b9426c0c55fe60f449da09613529e8bdc642f7b70007fb275e8ce37559454e606484b94a481e13aeee69c4140d2771f57c754a5bae064aad3f1a516
-
Filesize
395KB
MD5b94bfa78ad6a5d122cbfc7534e68be52
SHA12470960f86ea48c6a64f315eaa9eefb59d6efa4c
SHA2566250a56b3eea36c1461ac8cb823a907694c42edd8d722a4b95136caf98cc561f
SHA512fed1dc097db3325f3c1de87e776ffbbdd8a3708f3ad140fd5c6f910ecc5b2dabfab3ee5d5966fceab106b603574c5ae679fd5929a207e4abdff26a6ec6cfb2dd
-
Filesize
81KB
MD524a57acc3878dcb660a1caeffd6d72ee
SHA1bfbb94640b03747ed14022ccafa1725f07d07b37
SHA256cbd145a1cb9f59920a088e756d7d9f82d39a2dfd558eb32ec2ef1c4b2cda0e25
SHA512597ca12ccf76c6233e12336438813f5949eea62eda84e42dca08603bcb0f293077be52a4a461a6e259186c38987b46bceb69867f717145be95919c2128ed3591
-
Filesize
167KB
MD59cadb15530f1c76dd7755888771e7346
SHA19e850abfc27fd350dbca0a1256a093ecf34a6aa7
SHA256234481e8e2bff7600a0fa157adaef6bd8de485ebd1a7a4f9a3e3e60d04e62485
SHA5123cd00c8fa7550054d09d5ebb662af087b875ada9c9f8c9c2b11f62b21bf77c83fe36eeeab48cbf547cb72b4cb7bccc84213aa38778d3160345c40dc0b6abcfd3
-
Filesize
195KB
MD54ed2fa0a13e28f41a30a2d8ca427079b
SHA1dc1f900cd1c69b198f71a5e53c262d0b123d4b74
SHA256798ec968299ea49901639878fd50fd67563c482f9f7d17e8b530ed2347a8c761
SHA512b7fce82ad26ee333ec3d5e599a6397da8d8b20d62dca793687c83a23c6400eb70544ca56c6f69ebb2e12eda6e8fbb72f69861c4861cc11e83d66edcb75c6f949
-
Filesize
171KB
MD5904bd64e4bcce5303f835d0512b92b26
SHA1619e91a2cfa42f15160f2142b001dba2f8a9c284
SHA256332af8f8370c2a1c23d484d5f10427dc0f71128a7a63e4eb888e34017213fb9e
SHA5120d4b0f72cad38464ecceb7e0e4e8e7098e9886ae768fc0cc293bb16ea3c26fbbfd04ba82fbd417773c54e2f9352f59c3bba7a4fd7b4b9eb6b063cb199c5cbd68
-
Filesize
208KB
MD5daae8a89ee77455e22de22c86f71c234
SHA1135b680c389ec04462dfbba61a1f971a6c68943f
SHA2560e225daeb32cd4199f4a92106d0e6b5fc9caa9d955208bd3d10dab5c7fd11df3
SHA512d54af854ba253f2bae1e0ceeb4d1566c2e26b79a54239ae3804e57b03adbfeb6c5fd2d9a2c6281385461378fab5c98cc771301d80f44e0f7b5b84bcaf236c85d
-
Filesize
170KB
MD55f218b2a478f5f3f0847873a94dc5e4f
SHA1647f6c0f8bc73cadc0ff21c7a016183ec4bd17b2
SHA2567e6e75859e73a4cb26dcf90d6485ff3b382f4a55eb396a8fbcf0a44d5f72cc8a
SHA512cce28ac9506bd5aff5520fee399fdb94b7b5988b5df51082794a7ff35bac9f140d042d51aae8c2c290bb57cebb3596b95928122ede4d79d97c2f90ad1aa6d685
-
Filesize
190KB
MD5c248fbd159deb1d06e14cd6dce16e8bd
SHA17c7f1ed7a20b3897df87d30d31571de48e79e5ef
SHA2561668187a0693d583ef80892d856a07d65c1812eda8b6bcefed5b7c77a599022b
SHA5129cdec190625c405e48c675d5c214bd405a75880640b1c414470fa1a2b2ad6ce3bc8da456f848a3ef68ce42a9bc2a317bef2da20a267cb1095e331642944f6825
-
Filesize
170KB
MD59bc6ee9b617a1d1ad237ae7f0278f175
SHA1018ae33ce94c2b564e05fbad8aa8a670a9be0fa6
SHA256cfe88cee11ee8c4ef6c4d2943e53418beb5222b0185e54cd1830d829a1c36070
SHA5129ffb92f00ec06fd00ceac9ce3efb64d129ee0c77b78af4dab04927870631daa68200e212340f3f231b33dfa9457fd5bbc3b9ea3f65cd25f1db4cd791fec6e339
-
Filesize
198KB
MD5b287f609100e925e8cc3f3dd34770b62
SHA19f53c9685972648834a673b6e3b0098a3a76fec9
SHA2568718c23829cd3e9950a2a1acb3e4a37c3fccc0e73d67ff6daa2e2b34d5237fcc
SHA512a84815d813b2cc7125e240f257e0a768e022a1e4e520ae8c993e932baa7628db1f6f816839b0c15f7020b23254c7f36ded08890a09cf45bc780315bf8cc5ae28
-
Filesize
123KB
MD540b99b23fff7ac985c2396f77c7cdfd2
SHA1ef38186d5347f5bae992dd9b7958b30831aefa2b
SHA2567012376cd56197192c87621a016b397020404dee5c827dadde479e3a88d3baea
SHA5123a475eb5797c046caa58129dee8c799c84ecb37173af00346ab893b34a0344dabaa928d847923366a4451393c47ae8f857ccba6a0926523e37ffdb7bf0887901
-
Filesize
129KB
MD5c4a49dff151a3255b1fa126068cc3270
SHA1d6d3818c4365889a94897943c322061d6c7acec2
SHA2568bd7e15666141ee759ed602ede5bf83f27533e24aba2ad9454532575aa59a387
SHA512179258f4c7604f7de5714fb1acd5a3a58143fea8cd2404d26092c3982601d287fd483ab78aa00df8a8c4f175256dd86c35d9fdb76f107ce2dde1076d0a1db0c8
-
Filesize
123KB
MD5ac86f20ca2d20e060e0c31f24d78ec7e
SHA1e529b2a1539e31f072db8ef4e027fb0215d67c5e
SHA2567a13830f2caac3713e0e017f6e98460a86eabcfc375ea0fc77a64b9833e82717
SHA512bef208fff98aabcadea1e6759b892962978f9a87d4f4b22133e9802725c0de6e7b55813c37f2b47462544232f43aff928f49727c66e5f776e41f32fa2c76ee5c
-
Filesize
135KB
MD54c1db7cd6c116f7436c474a2bae5ec30
SHA129143884a2c31c572153e26931cd973ec7dfff25
SHA256cf1d5f99a43634ca9b03242a0410469b257e8a6fae124ae23a8db0bcc8e355e2
SHA5126449d0c487acda5b34a0311bfbdb29a4c1e9e70d50831031dbafc3cfeccb31af2682f29a8a294dc8deee8ab44a13accf14249cc8a0aa2a9e6afbc8d33a36615a