Resubmissions
10-04-2024 12:56
240410-p6qpgagd79 110-04-2024 12:39
240410-pv43qaba8s 708-04-2024 16:21
240408-ttseradf78 106-04-2024 08:39
240406-kkr8ysfc55 606-04-2024 08:14
240406-j4467aeb4x 1006-04-2024 08:05
240406-jyx6paeg54 8Analysis
-
max time kernel
501s -
max time network
501s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 08:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bing.com
Resource
win10v2004-20231215-en
General
-
Target
https://bing.com
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Rensen.exeRensen.exepid process 2004 Rensen.exe 1156 Rensen.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133568643509420904" chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exeRensen.exeRensen.exepid process 3184 chrome.exe 3184 chrome.exe 4404 chrome.exe 4404 chrome.exe 2004 Rensen.exe 2004 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe 1156 Rensen.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Rensen.exepid process 1156 Rensen.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
chrome.exepid process 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe Token: SeShutdownPrivilege 3184 chrome.exe Token: SeCreatePagefilePrivilege 3184 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe 3184 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 3184 wrote to memory of 3148 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 3148 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1820 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 3668 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 3668 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe PID 3184 wrote to memory of 1480 3184 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bing.com1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed2ea9758,0x7ffed2ea9768,0x7ffed2ea97782⤵PID:3148
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:22⤵PID:1820
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:3668
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:1480
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:12⤵PID:2112
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:12⤵PID:1896
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3968 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:12⤵PID:4864
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4792 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:12⤵PID:5096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:4788
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:4140
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3240 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4632 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:12⤵PID:1836
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:2504
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:3436
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3340 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:12⤵PID:4364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5160 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:12⤵PID:1412
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:1400
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5912 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:4284
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5964 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:4704
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:2900
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5440 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:3036
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5624 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:552
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3056 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:12⤵PID:4468
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5732 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:12⤵PID:4116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:3464
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5264 --field-trial-handle=1848,i,4062379375956556845,12153122758061855625,131072 /prefetch:82⤵PID:4280
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1156
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2632
-
C:\Users\Admin\Downloads\Rensen.exe"C:\Users\Admin\Downloads\Rensen.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3372
-
C:\Users\Admin\Downloads\Rensen.exe"C:\Users\Admin\Downloads\Rensen.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1156 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4064
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2612
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵PID:1408
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffed2ea9758,0x7ffed2ea9768,0x7ffed2ea97782⤵PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD5bc16ebe41a9fc2938c4060992a92b0af
SHA11719af3e339b187d984a76437eb80cae5dc50e6f
SHA2565874dbe9583546eb24cfb2b237d58f97ef186cd72866dd224df82e62817744ae
SHA512c78d4be86a3f35ae07375b37fd39f869d317a6ec6699d7673731e6f9b255d7bcbfacf58ca71c3f51baac1e2b2bbee7da58603efa5bd51a31162c481aab7a912c
-
Filesize
24KB
MD5e1831f8fadccd3ffa076214089522cea
SHA110acd26c218ff1bbbe6ac785eab5485045f61881
SHA2569b9a4a9191b023df1aa66258eb19fc64ae5356cfc97a9dda258c6cc8ba1059ac
SHA512372c486ac381358cc301f32cd89b7a05da7380c03fa524147c2ddf3f5e23f9b57c17485aaedc85b413461a879afc42e729547b0c96c26c49bbdb7301cd064298
-
Filesize
49KB
MD5e1f8c1a199ca38a7811716335fb94d43
SHA1e35ea248cba54eb9830c06268004848400461164
SHA25678f0f79cdd0e79a9fba9b367697255425b78da4364dc522bc59a3ce65fe95a6c
SHA51212310f32ee77701c1e3491325a843d938c792f42bfdbbc599fe4b2f6703f5fe6588fbcd58a6a2d519050fc9ef53619e2e35dfadcbda4b218df8a912a59a5381a
-
Filesize
43KB
MD58edf1178fbf41e750ab75fa410368a9c
SHA13104a4867ab00cdee8f4e5427b2a691cde97e1a0
SHA256717088880d26775f3bccaea18ccb54cef604f9b28dfb357efaaa60d44476a9d4
SHA512dbdab4ff33ee8fc08f9c0fa8ddea2be03e47fff2645d484ff045b420d421915ba91284e5d8f55cbf523f0b041c3d1f813d1e5ddd6dc0c7e073d566f05ea77e76
-
Filesize
21KB
MD5939b17598242605d4cda089e4c40e52a
SHA1cb7e96bbb89879ab97002ef7764e868d8536fdbd
SHA25614d0a9ba41b036d7702963b2f0048a670f138372fbc3644ec4f009cd3184e041
SHA512d62140ff22453508964a7fc40602adc68b2ceea883eb7e77206a84569b2cb6ffad4b0796371ca28ce1a7110adf58786b374854d5fb1dc53a42588d61c79143e7
-
Filesize
20KB
MD58b2813296f6e3577e9ac2eb518ac437e
SHA16c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86
SHA256befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d
SHA512a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c
-
Filesize
65KB
MD5ee752d1511d5545228d0884d3859bcaa
SHA1101ff34567dde76dc3ca539954a2544001302c3e
SHA25649ffd1f840f11ef95c7d9f348d4535c3fde175414d94ea2182124bae245c345b
SHA5126bb03d3b16f0ff19a8b054dd7187bd65ac15a752b56de110eb30205ea9e2701fd78e4cfb1daa5f020ca076efa1c02677ea99dde0788aaf69bc20a4d4b15eda8e
-
Filesize
59KB
MD5063fe934b18300c766e7279114db4b67
SHA1d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd
SHA2568745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e
SHA5129d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f
-
Filesize
151KB
MD5840a2dc1618ad9c55fd310a7fa99defa
SHA1758a611114db290b4657e0a250cfa3e9039f98d8
SHA25688b068b725836f11c74f18cc8baf4aebc5ce09f0b418535a1b624b1efbf003a7
SHA5128f9a61608131e2176a2b4caa2b120a0d66b23d6f52df555ba467ce315f4dc62e4dd282305e42442e1717bdb811550daa636334b269932d38ea3f49773b877ecb
-
Filesize
22KB
MD5f650e6b6cae5279e4c89126960b6b090
SHA19f79318b36cc53712c3e7e0cf6e9ef91f62811e9
SHA25686781350321e19d398b5a3760fd4c0af43764862c8c37e319b8b743f15c559c0
SHA512eff8025498be7773e063c43137946382c408cb886272ac4c9f8cdc6b2447b8e4d4c559351bcec842b7436b3d7be96c51da967637c8e99ed48822876ded0cb2df
-
Filesize
648B
MD54fb90921e128003c6747e5fd2557d8e0
SHA15196e96a16d9972e5eb21a5a02d044c461633dcd
SHA25629414470bfb086c0e391f8d93a13ead10e24f17f4d9ba11e9e66919793839075
SHA5127797b3a416a55c7f6cb61a9a827733e2445a0c81706b98047235f52a83a00530f7a708d19a8814a985057f72e17e1ff2eb6837f94b45cdad404d8b1e7a9690be
-
Filesize
3KB
MD58a63a25a08e1471638cd5f79a4238980
SHA12f4a8922e666c02908534bbff38bd01320d30144
SHA25616bdf984fa94960cf2d4bdf879c7a894d20374200b045169700f686dbf14cc23
SHA512a2ca2b37229b4413de013f9739690a69fadfd219fa21e37cdca696c561ae56a70cc95b210f61fb6379ce81fa70156bc7fb3f402aca37757f872f4958924d321d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7e450e06-3acd-4516-8d29-e7bf66f24450.tmp
Filesize1KB
MD51a1c9549d4bf43f985398aa45cf48494
SHA111ca03cb9f6012b78d3f0e5fd1b9eca637a64eba
SHA2562d5f4025cb0d1ac952034bb0faf14d1f3a7427ff6e7296fd914bb40c9501f5ab
SHA512e2cb8d2429f95b5eb6d33e8fbb784bdf0f725da633f8346788546951615fe95991c13404735acd4ebbaa2ac187f749e1c14644eee7826a772106f3ceeec28809
-
Filesize
1KB
MD5a70e9a02af747784ed7b275c9cfb4cd4
SHA1a6d92ebc1ba0c645faf2f8da542fe2a3fe92f5f7
SHA256f67e72914cc89a0d6239827ce349acfa8b539b72c36a9037c9e19b0cb7c95f39
SHA51272007f2543cf70233d1d552b03d672268b11fdb0de5c3164ea04b4c31ebc66156c1676bbbf95504b361543f3d0f0ce8134db9cdc34652262c0a8d5a34eed4901
-
Filesize
1KB
MD5b8b3e53e08db3c2a86afe078ffe7414b
SHA15e71407624caef43cf819176ce658507e68b8211
SHA2560516fcd9d554f624680174a7d807645a2614d5b6eb5c41afc921a059beeb0b2b
SHA5127fe6560e3492f7c469d9f323d35be0a6058f93784f22745decd8d9623f9de9b65a3d2556d987490063112d24da2ed6920a93bce8c56a2d197ab3b9160879a4cd
-
Filesize
2KB
MD52dd2f26b3cacbc30d83a70e9bbcf8794
SHA13318e6f1280fbf0c1c6097abe8029718a64f1814
SHA256a624a42ab8a9a6b5e1bda8f284833cc858e1717206c59372b38180f0548c80ac
SHA51294559c74520e35641798809899fe777f3f06a107dab0d639a6337a4d97c5d7297e5ca741bd8cee372956f2c0d5fe2f9a5db54e4ce72577e710633a95f7f6932d
-
Filesize
1KB
MD5802985b9dd5037c3b0a9132d81f645ca
SHA1cf037d38af1a8b3b74682e62577af1e9ee4a76b6
SHA2566c908ebf136e4ac421f3e32e8ab10b51e6ba998b419edbeed170b3865951398e
SHA5127a6215c11ccf08aa57caa34caa837235bd8e9e437729088a7deb33badf8475b8a446f41a643e0a4758af581c860d72b457ed7dc8f98010bfa8a26d7b196632bb
-
Filesize
1KB
MD524078b4b6e6df776c2326e5ea51660d6
SHA13eae685fbde53ff9a5c1ce82265b19a9111942d4
SHA2560f3e8281938e51b0bfe5696fe9a07204fbdfe43fb748c37e7a714326c4bc44f3
SHA512f24b72d0fbde9a261c540a2e72f977727a1df3f0c585410d815decb17a0f92392f95faf8369a7fdedc4a56ba82c902ec268c99885d089955777e5b7b920e0411
-
Filesize
1KB
MD54709fbc0eba41df9209c1b294e78e9b3
SHA11b6af3d6ebb60a8be29020b353f75a8fb9dd846c
SHA2561e2c3bf7db6c31c8cbd407d30906a6c110ba696b0b882fa689210c9b1896676d
SHA512e6e2123864ebc97c7e8d3932e0466eafe87a433bb696fad720d5af6383fc466cc64bc1c7bacfd5423c4a3869dea5103a73974885ca65714477b1063a9361883f
-
Filesize
1KB
MD523e96f10438551c1b4ca2aca7d225624
SHA12df0076b5106b5c64768aa290f324064fcd2c200
SHA25655c145870158fb8ccf45921317709e0f2a4acd0824a63142dff34befd62d8c7a
SHA512d479ace08f86f92eb2483b7e8c38c652b6da4eb413e33eb331dbe2766c6a3a61ab61f22cbc80fa219832713798ab4e963c457b097be55e8ba034b8f54961a1ba
-
Filesize
7KB
MD530677eb6f60681f2ea83d7025360c296
SHA1856c96cdde353792502083efc894b3ce1c97296f
SHA256486dc6e0e1b657f441889ffd4822ecde7e5197ae4950ef807817c87ab334d585
SHA512dcd39ef2cb2e12d96ca5f6394cd09b3060f2a769391f50f6f944e93a4908918b15114341fee60206a697ac31f67a01766f186c891ac87f2fb9c4cc55a8e636c8
-
Filesize
7KB
MD51469809b71df9c8f05946f65fce0d5eb
SHA147d7328bc0c217ce7279557b3d5e2f1d4008f5e9
SHA256fb23ab8c6045927684eeaa148a91afe6cf03643056b6792c2b64423748d32fbb
SHA51237432d0ff844aea2139cb46b51af6cd5a6bdfa13ca17f9b2cfed695d013755d08b776a40e0b5603e2cd7b5eee99a49cc21f21bda64d31067129d7ad1bafab64c
-
Filesize
6KB
MD5e83a85ab35b9df2ac8b861af36de64ae
SHA1eef34888e47c1a6852728fa54bd9424f73f82520
SHA2566b25d2d466d44f6512abc669a475a43b7c7e04f1af7730d1ee4df4b7a7a8235e
SHA5125c0941e67e7825bd89d10abd86ebf4a92679da339ab8998a1ed881c7570943ba53cd99247a11fc04a08adbb0ce9f71e9c5e6ada25c6c4bbc406fb062141c5eb3
-
Filesize
114KB
MD52a2ce28c193b65fad19ae295dfc0a121
SHA112524711e05855b6df7513e9d82b2db6ecdbfe44
SHA2565fc36712218be8a20cc21614e942566f4c4dfedc9f8ec8cc51bc33a64c8f8b79
SHA51215672d3ac7b136d82e6348a7f7370cabd266dd620925b765637b4da18793a285645dc41373bd1eba03bcfd384cea6b980d3fca3cea53cef1cc2c24112a0d45fa
-
Filesize
114KB
MD5a16d31bab19e0a3f5a8d007816b0f7e2
SHA11cc397590d6c17a7cf2460b07716786960f49ba6
SHA2562b91ca06db19a88f1770fa1872d83ac64f52ff31b1381329c8833f56f3edc21a
SHA512c58b8fd0623e653e092c0a40d4976f0677981d9c6d03d5d4effc4ca829452f6bf251813a6be27c3ce8ca5521ffb8c3e0697c593bcf4049dd730e7c80e95bd624
-
Filesize
98KB
MD5fccbb894dd51cd667b9b07d9d3808753
SHA1e0a24675ba9d9fa730a5f13d7336e48787a04661
SHA25656883c8dbfe60346dde1e70ee7fa308815bf990ea09c880c8cd6d70789635809
SHA51222f3fcac49770bcefb707466edcf6a4d79c11077ac2bd648bab74775bec20ded792d34609ca0c689546982790fbcdeedfb123f6e39d904f11f0cbead6d6728f0
-
Filesize
103KB
MD51e057bda5bcb5ea8b9e0b9f2e3d0dfea
SHA18539a31011c43b6d0271d3b0c180cef54a3b2148
SHA256b43066c9be8a36e602264e3024fc4f5e789d3999c6f702d6dca19e732e29a79e
SHA512fad282afdd29c3b698c2f3def26250dcb8f43097755fa5f3114e3a7a91d1cc8341233c9acf5888edf72917effe5e68653101fcc50aa747c2ff4e7d5349d2ee7e
-
Filesize
97KB
MD5f3ec5b32d52fd73ce1c98995541c9f6b
SHA1d4db8a8b480a8433f0a3c84eeffbbf618e2fa10d
SHA2564d0c50c14479a20fbef6f954e884ff6bb37baf5887d7b411643ec801685faeec
SHA51261790a5b4244fa4fe2ba8b702e7a576fdf048fc2339b51efff4f500615de1c5a89b3eb94bbaadf055a44ab20c709348959d90a7dbd18e79c1670a14c0fdc82df
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
387B
MD535230636c7f6f045b3f20055ddf15d2f
SHA12aa372c9ba3f03895544ce77185de774f4c0dccc
SHA256379367ea19cde6d52b658a8292794a50ba8040edbb6a638c5260fb8acf21120f
SHA512d6abc7fe2feb6ff98b23cd811357f11b28d72f10b1f80ba3c7608243a73c06d811565198206f520ca2f951302c887df083758592325aef507353ab0a1bf12a5e
-
Filesize
394KB
MD5e19ebda4ea362c8421ba3e51dfe9186c
SHA1df86f196d1b669f84d08433d003c61c70d91440d
SHA2560f08c5a7f6201cc07f7e68047ee764f2f3ef5809ce1779518000b0c71192d6b3
SHA512878c5a1fea207c120d021d71b4d71f39b212eaf11903af3d423472cfa118ec260885badfc2ea32aa8e01a13bfd2bd9c128cd889d0ed125ed4aad9c71a9a888b3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e