Analysis
-
max time kernel
506s -
max time network
505s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2024 22:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/Bzd2RIQS#QLUWARjUbkPXSC5JfRj4jr2_zw2pG2b_-AOdzs__d5g
Resource
win10v2004-20240802-en
General
-
Target
https://mega.nz/file/Bzd2RIQS#QLUWARjUbkPXSC5JfRj4jr2_zw2pG2b_-AOdzs__d5g
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1280658371216805939/aizH0m46OW9UyZDoUQxNmyrg2Y1xpWFVrLkJD6_rCirVkiR12lhHFkfUaQ1iRBZGsT1D
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation dotnet-sdk-6.0.425-win-arm64.exe -
Executes dropped EXE 9 IoCs
pid Process 5980 dotnet-sdk-6.0.425-win-arm64.exe 5372 dotnet-sdk-6.0.425-win-arm64.exe 1084 dotnet-sdk-6.0.425-win-arm64.exe 6072 ndp48-web.exe 5396 Setup.exe 4696 build.exe 336 build.exe 3776 build.exe 3336 build.exe -
Loads dropped DLL 5 IoCs
pid Process 5372 dotnet-sdk-6.0.425-win-arm64.exe 5396 Setup.exe 5396 Setup.exe 5396 Setup.exe 5396 Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{56376562-25a5-4949-b5b8-a5e211599d11} = "\"C:\\ProgramData\\Package Cache\\{56376562-25a5-4949-b5b8-a5e211599d11}\\dotnet-sdk-6.0.425-win-arm64.exe\" /burn.runonce" dotnet-sdk-6.0.425-win-arm64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 162 discord.com 163 discord.com 166 discord.com 184 discord.com 191 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 167 icanhazip.com -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\dotnet\swidtag\Microsoft .NET SDK 6.0.425 (arm64).swidtag dotnet-sdk-6.0.425-win-arm64.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Installer\e59a05d.msi msiexec.exe File opened for modification C:\Windows\Installer\e59a05d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 3864 4696 WerFault.exe 145 4576 336 WerFault.exe 169 3008 3336 WerFault.exe 185 -
System Location Discovery: System Language Discovery 1 TTPs 40 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndp48-web.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dotnet-sdk-6.0.425-win-arm64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dotnet-sdk-6.0.425-win-arm64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stub.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dotnet-sdk-6.0.425-win-arm64.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 6 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 5392 netsh.exe 1220 cmd.exe 5736 netsh.exe 5776 cmd.exe 4296 netsh.exe 3900 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier build.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier build.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier build.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 build.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2608 timeout.exe 4884 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
pid Process 3004 taskkill.exe 1672 taskkill.exe -
Modifies registry class 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{56376562-25a5-4949-b5b8-a5e211599d11}\DisplayName = "Microsoft .NET SDK 6.0.425 (arm64)" dotnet-sdk-6.0.425-win-arm64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{56376562-25a5-4949-b5b8-a5e211599d11}\Dependents\{56376562-25a5-4949-b5b8-a5e211599d11} dotnet-sdk-6.0.425-win-arm64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{56376562-25a5-4949-b5b8-a5e211599d11}\Dependents\{56376562-25a5-4949-b5b8-a5e211599d11} dotnet-sdk-6.0.425-win-arm64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{56376562-25a5-4949-b5b8-a5e211599d11}\Dependents dotnet-sdk-6.0.425-win-arm64.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{56376562-25a5-4949-b5b8-a5e211599d11}\Version = "6.4.2524.37903" dotnet-sdk-6.0.425-win-arm64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{56376562-25a5-4949-b5b8-a5e211599d11}\Dependents dotnet-sdk-6.0.425-win-arm64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{56376562-25a5-4949-b5b8-a5e211599d11} dotnet-sdk-6.0.425-win-arm64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{56376562-25a5-4949-b5b8-a5e211599d11} dotnet-sdk-6.0.425-win-arm64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{56376562-25a5-4949-b5b8-a5e211599d11}\ = "{56376562-25a5-4949-b5b8-a5e211599d11}" dotnet-sdk-6.0.425-win-arm64.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 576419.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 794204.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5024 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 232 msedge.exe 232 msedge.exe 2448 msedge.exe 2448 msedge.exe 4496 identity_helper.exe 4496 identity_helper.exe 5424 msedge.exe 5424 msedge.exe 5204 msedge.exe 5204 msedge.exe 5204 msedge.exe 5204 msedge.exe 5556 msedge.exe 5556 msedge.exe 1424 msedge.exe 1424 msedge.exe 5396 Setup.exe 5396 Setup.exe 5396 Setup.exe 5396 Setup.exe 5396 Setup.exe 5396 Setup.exe 5396 Setup.exe 5396 Setup.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 4696 build.exe 4696 build.exe 4696 build.exe 5632 taskmgr.exe 5632 taskmgr.exe 4696 build.exe 4696 build.exe 5632 taskmgr.exe 5632 taskmgr.exe 4696 build.exe 4696 build.exe 4696 build.exe 4696 build.exe 4696 build.exe 5632 taskmgr.exe 4696 build.exe 4696 build.exe 4696 build.exe 4696 build.exe 5632 taskmgr.exe 4696 build.exe 4696 build.exe 4696 build.exe 4696 build.exe 4696 build.exe 4696 build.exe 5632 taskmgr.exe 4696 build.exe 4696 build.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 4696 build.exe 5632 taskmgr.exe 5632 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5632 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
pid Process 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: 33 3036 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3036 AUDIODG.EXE Token: SeShutdownPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeIncreaseQuotaPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeSecurityPrivilege 3392 msiexec.exe Token: SeCreateTokenPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeAssignPrimaryTokenPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeLockMemoryPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeIncreaseQuotaPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeMachineAccountPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeTcbPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeSecurityPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeTakeOwnershipPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeLoadDriverPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeSystemProfilePrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeSystemtimePrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeProfSingleProcessPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeIncBasePriorityPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeCreatePagefilePrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeCreatePermanentPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeBackupPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeRestorePrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeShutdownPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeDebugPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeAuditPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeSystemEnvironmentPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeChangeNotifyPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeRemoteShutdownPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeUndockPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeSyncAgentPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeEnableDelegationPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeManageVolumePrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeImpersonatePrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeCreateGlobalPrivilege 1084 dotnet-sdk-6.0.425-win-arm64.exe Token: SeRestorePrivilege 3392 msiexec.exe Token: SeTakeOwnershipPrivilege 3392 msiexec.exe Token: SeDebugPrivilege 4696 build.exe Token: SeDebugPrivilege 5632 taskmgr.exe Token: SeSystemProfilePrivilege 5632 taskmgr.exe Token: SeCreateGlobalPrivilege 5632 taskmgr.exe Token: SeDebugPrivilege 5388 stub.exe Token: SeDebugPrivilege 3004 taskkill.exe Token: SeDebugPrivilege 336 build.exe Token: SeDebugPrivilege 3776 build.exe Token: SeDebugPrivilege 5224 stub.exe Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 3336 build.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 2448 msedge.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe 5632 taskmgr.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 6072 ndp48-web.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe 6096 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2448 wrote to memory of 208 2448 msedge.exe 83 PID 2448 wrote to memory of 208 2448 msedge.exe 83 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 724 2448 msedge.exe 84 PID 2448 wrote to memory of 232 2448 msedge.exe 85 PID 2448 wrote to memory of 232 2448 msedge.exe 85 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 PID 2448 wrote to memory of 1400 2448 msedge.exe 86 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 build.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/Bzd2RIQS#QLUWARjUbkPXSC5JfRj4jr2_zw2pG2b_-AOdzs__d5g1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd42d46f8,0x7ffbd42d4708,0x7ffbd42d47182⤵PID:208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵PID:724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵PID:1400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:4800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 /prefetch:82⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5476 /prefetch:82⤵PID:3384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:12⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵PID:5812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2336 /prefetch:12⤵PID:5412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:12⤵PID:5940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:12⤵PID:5340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3412 /prefetch:82⤵PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:12⤵PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵PID:4680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:12⤵PID:2264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6116 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5556
-
-
C:\Users\Admin\Downloads\dotnet-sdk-6.0.425-win-arm64.exe"C:\Users\Admin\Downloads\dotnet-sdk-6.0.425-win-arm64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5980 -
C:\Windows\Temp\{7689EEEE-C765-479E-B8B8-CD1979F4E71D}\.cr\dotnet-sdk-6.0.425-win-arm64.exe"C:\Windows\Temp\{7689EEEE-C765-479E-B8B8-CD1979F4E71D}\.cr\dotnet-sdk-6.0.425-win-arm64.exe" -burn.clean.room="C:\Users\Admin\Downloads\dotnet-sdk-6.0.425-win-arm64.exe" -burn.filehandle.attached=584 -burn.filehandle.self=7203⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5372 -
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\.be\dotnet-sdk-6.0.425-win-arm64.exe"C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\.be\dotnet-sdk-6.0.425-win-arm64.exe" -q -burn.elevated BurnPipe.{9F1D3ABD-A81D-4800-9196-4847764ABE03} {9E267468-2390-488F-9A0D-4F27D468D5C6} 53724⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:12⤵PID:5596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:12⤵PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6980 /prefetch:82⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424
-
-
C:\Users\Admin\Downloads\ndp48-web.exe"C:\Users\Admin\Downloads\ndp48-web.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6072 -
F:\1a766c024b8bb9911d0975\Setup.exeF:\1a766c024b8bb9911d0975\\Setup.exe /x86 /x64 /web3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5396
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,16416297325930604183,7338987463609121919,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3724 /prefetch:82⤵PID:428
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1468
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:540
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x4fc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5512
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
C:\Users\Admin\Downloads\Stealerium\Builder.exe"C:\Users\Admin\Downloads\Stealerium\Builder.exe"1⤵PID:6040
-
C:\Users\Admin\Downloads\Stealerium\Stub\build.exe"C:\Users\Admin\Downloads\Stealerium\Stub\build.exe"1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3900 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:5076
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5392
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:4436
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5480
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 28962⤵
- Program crash
PID:3864
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4696 -ip 46961⤵PID:1200
-
C:\Users\Admin\Downloads\Stealerium\Stub\stub.exe"C:\Users\Admin\Downloads\Stealerium\Stub\stub.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp7878.tmp.bat2⤵
- System Location Discovery: System Language Discovery
PID:4340 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:3396
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 53883⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2608
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6096 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Stealerium\Stub\stub.exe.config2⤵
- Opens file in notepad (likely ransom note)
PID:5024
-
-
C:\Users\Admin\Downloads\Stealerium\Stub\build.exe"C:\Users\Admin\Downloads\Stealerium\Stub\build.exe"1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:336 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1220 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:4528
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5736
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:5832
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- System Location Discovery: System Language Discovery
PID:5956 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:3860
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:6112
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 33202⤵
- Program crash
PID:4576
-
-
C:\Users\Admin\Downloads\Stealerium\Stub\build.exe"C:\Users\Admin\Downloads\Stealerium\Stub\build.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 336 -ip 3361⤵PID:3296
-
C:\Users\Admin\Downloads\Stealerium\Stub\stub.exe"C:\Users\Admin\Downloads\Stealerium\Stub\stub.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE2FB.tmp.bat2⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:5232
-
-
C:\Windows\SysWOW64\taskkill.exeTaskKill /F /IM 52243⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Windows\SysWOW64\timeout.exeTimeout /T 2 /Nobreak3⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4884
-
-
-
C:\Users\Admin\Downloads\Stealerium\Stub\build.exe"C:\Users\Admin\Downloads\Stealerium\Stub\build.exe"1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3336 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:5776 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:884
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4296
-
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵
- System Location Discovery: System Language Discovery
PID:2596
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- System Location Discovery: System Language Discovery
PID:5200 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
PID:3804
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5544
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 29682⤵
- Program crash
PID:3008
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3336 -ip 33361⤵PID:5368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Browsers\Edge\Cookies.txt
Filesize1KB
MD5fdc3ec75dcaf7f0f164e0bf1e0562615
SHA1060c9faba933644967efbaf26876f9f0efeb0968
SHA256b9a73ce4182380defae1a6dfe9964885136ee66d2b66fc1f45b5e59d6767cffe
SHA512a0a0f0da9be88b3badfc1a421766aaff3e1cc1f23d393691aeeac7a6a72fbde938a8cf9d22543db96e1d3c4e4b5735c01619e9a42add86cce45b974afbada992
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Browsers\Edge\Cookies.txt
Filesize1KB
MD5df5733491f02725de088a4014c9b5d4d
SHA13564c67dd3f420e79e59bb3c7ebd4ba9699dd154
SHA2565d7948e701ac263cad06885b8c6a63af74ac8c3c420740e0a4789590fbf538ca
SHA51251b4973d29e7e6397077340a8d84e7069e7b6d4e7b827482dc341a6750e972be03f6581bec12db75a66fd3595a072b066af7d6e94cae0510804ac3209ef567d7
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Browsers\Edge\History.txt
Filesize1KB
MD5428cb1194d5aca9d66d2ac5edae3c6a1
SHA1a90610aac317b46e9a61aff8d012abebc5aebc8a
SHA256de2ec6c07c14a1dc2b17df1b47b0fb3cf5e8315dae8062ac6d5db368b8e34eb3
SHA51298bfe0b4ce83a611a1b8d0fa6619623ed0b906c1339dce848d2e90a160366100e5e4f7d93b16be2dc79150a255f39de7c5de0c0b6096cc1cf3f66e913969f4be
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Directories\Desktop.txt
Filesize542B
MD58a74ae838bf821c3112a167930a97898
SHA1addfa188e7ba4329a1e838d60a1ff99cf3d1182a
SHA256fa50c9e883d1681e68a2246687712d090b06eebddd5a0f95375a4fc3f991531d
SHA5127b30b32c6467bdc0f5abc4719424a06820515a39438ebc315f9c8a8b68a78f983c1dbb7a6dfeaa005f389d6b3bb99ca1106c145732b723be9a9a595c95351223
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Directories\Documents.txt
Filesize817B
MD5b2d8e6e4245e1e107186caad8d6f2bda
SHA11dd043043cecbf9c11080dfc1e9bf8bc2f505e7d
SHA256bd42a1fb3f8f4c3868effb8e35fd10cdf581bab7f5d39d04f0ea2f21211d4753
SHA512bb3d9800ff68e81043e18987cb98c57394f7473482752fa6c193f9ce85e3084b828d8e7c7c190312d8e74e59fbb817b82ce18cc4984db38366a7e9886e6bbf1a
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Directories\Downloads.txt
Filesize1KB
MD5cb7508beb804cb8c21e0b1c8c7df39f8
SHA174129d8e11d4072208f4ffdf64ba7c8baf1ed4df
SHA25651b28eb12e0e01f733336eaa5a5e42f14271a831b17c41b7b93bfe6ce57a4745
SHA5129da4a8aada9b7962e57bb9e4099f1b9f21881efe2ef8bd4727115f6a4f422e301a64d338b17f17c631341bb5a005c331d5004c88d8a97d35a1cc0487d4c3f68a
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Directories\Pictures.txt
Filesize386B
MD56eb12c0521d8de0b1fb6662349137dc6
SHA18741c3a334e3e0ddd92f424912727ee291f04940
SHA256e6da08804217cd6f0ba73cc31806f473faeee5513c215eaecd6d054ba803afb6
SHA512fa028903097fd0b3fb2025971ec38c4497bff329558ce48313fa34300371ba5fbf0d13f208c63fa7d0d8f611c6993b2ef8b7fddb87042833ea4e7708800ea453
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\Stealerium\Builder.runtimeconfig.json
Filesize253B
MD524e4653829de1022d01cd7ddd26e2f22
SHA19160a009cb381e044ba4c63e4435da6bfeb9dc6d
SHA256ded3aeb5856a11db0b654a785574490cab55839ebfb17efe9e39b89618fc5b91
SHA512efd4bbba1baec0b47003831510e3aa539db9ef468e0f06ba9d7ba6d0b3800035f7c818d7d90171bfd377ec97d08c4617555bcff635dd83efceb412b1a9cca820
-
Filesize
6KB
MD5f639a5896764b5ee31ab6e53ea4bb6fd
SHA11dff1e2482d04e8d8d21171c4ce39d3e76ac1d45
SHA256653cacab4beb26fc76b74250b2e1d3e4e27a0ea57b641b252bd3ebb0877fea43
SHA51282b38941422f7ce801a9da6584d0f981839dd25c6016f1d68fcb78731e588ec746a83d62891e8ba254cf2a8889efb1a83cbfd8b2caf857e2dccf4fc7ab4f1c25
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\System\Clipboard.txt
Filesize121B
MD5c95279540d2add0745102dac2971d712
SHA146a91347b42dd131ca53ed2e6c0929c5213f9532
SHA25613c31c00d18a61e0a9e7d83e7d728f92d08132caf8da562e8e32946dc127ec42
SHA512005522c7266c1d309d4fbf803e4d6bf18c3ad963f2c39fa39e8558935b2fdfdc003b128b77be654e8ad53632a741875e7e6d8e41c8689157ac7e056e677f990c
-
Filesize
3KB
MD5a00c2de8a19f6e2e4d5c7b9d80ad087a
SHA10c73fcfb5e7cdcc47744fa188d0d799d06ded8d5
SHA25661622a44292198563d2f024cf3d19c6f06a836de22e9607831b91edacbb77473
SHA512a836fd42723abb538a24dcea02db497648db5724eee953f5badf3bf8840ec2139ed2e223aed82db95be1a217a9eb623ecb30c9859b097f779cf672ab68abb6bc
-
Filesize
2KB
MD5a3f7348c9fd908bc21dbff295d808a88
SHA1905e851db8c4adb32653c0a55916b8fa169fd0dd
SHA25633b861d9cc0f222974ff88204cde766a6df745b277b8a876a057a7a9769de84c
SHA512109dec88a007ac610f592dc1d1442c591ba6257651d16797aa4713ff9464358b089121561fe9b6a3ff2afd414fe544b39452df952b8e456161d29ac7ce0713dc
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\System\Desktop.jpg
Filesize47KB
MD5cc6734af8decb63395c8f2957c5bf31f
SHA11c8afa2e4ff764c8d47e102c287a8c4f1d3876b7
SHA256f59f1ff94a92ceae4de7eae5f2a9878a25822ae00c806100d55a5b69b3140ccd
SHA512396159adda1b63e89d58d8fb7ca341ce4bbf32c9f02a4fb470f860801d52d41df4c0ed241708423184267b744e6481e6a9f35b25a4c10510b1d4031f3a7b41c6
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\System\Process.txt
Filesize4KB
MD55eedca8f57830ef7f9537554bbc822c5
SHA17eb7c90584d729363757fa58fe4bc01f99daed83
SHA256e3295a361e0bef9425aca78ff1078460a675cef6ff0292a544dd897d81c01869
SHA51289ba52cf8a69e015c48d2c8100a43ca4fb7ef09be7e7c4032b74bd9f4e103d7db05db6b4fb4f27a9f9efd95f35eb966eed9ce28098bec90bbb8bbaf8a059b847
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\System\Process.txt
Filesize4KB
MD562eed7d7a0465f0ccd104bf3d58f83a7
SHA15612939b9ead6301b850975e20c67bdf6896b395
SHA256d5d34f1db1995d27cb30fd2ae4aab99b2345318274b318c9d8cf479e1ff7d264
SHA512b96240139f4d7301bd26d53e0c69bc08726972b90b1835320aa5a385fbfa3f3af477a644e9609e7bdbc98bfa9a37c06ba909487398502287f8b2311f13ccf238
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\System\Process.txt
Filesize4KB
MD57098bd0517d7c2d3853dec1f8c5c82c2
SHA1107ac8d235562ce3ecb76606367d3ef0b198830b
SHA2561fca652275ef7dd4f63db3048ae1afe3cac0fcbc2c1182fdcd440c5ca37755a5
SHA512ce380953d5607bf7f90cd5063414e3e6d34e8fdda7f94f0fd3c31b7dde274e78fe9f379219b1e9e481e3bcd9000b2575d5aa3d9803b89e10caf3a57eef583432
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\System\ProductKey.txt
Filesize29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
C:\Users\Admin\AppData\Local\499e3127c8b3f2120ccb2a46346c3b5e\Admin@KZYBFHMK_en-US\System\Windows.txt
Filesize581B
MD5fbeff60abb3f89dcc71ffc5bc560c671
SHA1608604fa463c11200d70ba8786920d55027e220c
SHA25632985096044e9de2134c19f22516eaa8275b6760e75ff14fedfb4f8c2e847c72
SHA512ad33acb6e9987fedd7fa2dfe1b1aa508e1aead994c5414c69511f8b69fc86daa2d9b5fda552b52d5786a68dcbd5e6b8b88c8aaca691756b5736a33e8f825a227
-
Filesize
11KB
MD5879e93650620a006ddb933c3c01cdfb0
SHA1a80d9dcd966e2bc236da05822480f8cfaa0c847c
SHA2566d16768168bae96f43bbe555e215337e5c4a7087ac691135a4ea7e03d7aac8d9
SHA5122e6c0341bb7368def3927547c396cbc4caa2adae06f2f8ff83cae11522afea4eab5657fd713fc4660befb67c437013ab1064b6e9bf129e3828e1fa5412850f06
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
22KB
MD59196e81f8ed7f223d765423c1f9bc8a7
SHA188f9d5c2a6908cf36b8daae803578ca9e1fd2929
SHA256a4e2bcf7ef3c6c614c2142d3c1fd44caac4eafa86a1779ac31cba164e2d89cbe
SHA512e7d23866fcac017762d2e2f18597124e9147f458d30038f78ba9f3a2bcbe479fe4792573894370ce2d6f93a00401231d9f01955fde351ff982a82ba87a8241f8
-
Filesize
55KB
MD58abadd2f68f54cf27ec3ab4d7652c19f
SHA1f635f96fae89c7692223b815e8d1c33fe16c2508
SHA25626275155bb4502608df3b3ebc18ab944424162b835b8c4c2fb205d24ecad92a4
SHA5129566f19f92037629cd27ebd69197b3a35764e1291e836668c82523c515ede24faccbaa4916588aaa9e4b86cdd4cbfe66ffa8473825886317e4163d3022b80dd3
-
Filesize
55KB
MD55ad67628093b90d7b09f19fea57ebe1d
SHA1c983290e8692fe0d4a5a6f7354c27ad4c61a0221
SHA2564c79b51c58fa56da28c18b94f01cd86596fcceeabe3f7e624cfd355bb966b63c
SHA51277831e58cad399009e784dca517836ed2a27237890f5ab63dda6409b528952313c33f76b689076162f239d3de2da1aa96d369c19a3a328da431ce712642574b8
-
Filesize
1.4MB
MD534a5c76979563918b953e66e0d39c7ef
SHA14181398aa1fd5190155ac3a388434e5f7ea0b667
SHA2560bba3094588c4bfec301939985222a20b340bf03431563dec8b2b4478b06fffa
SHA512642721c60d52051c7f3434d8710fe3406a7cfe10b2b39e90ea847719ed1697d7c614f2df44ad50412b1df8c98dd78fdc57ca1d047d28c81ac158092e5fb18040
-
Filesize
220KB
MD5ff747684ee884a7b85c728c7c6606738
SHA1274f40361da900a3d0229aacd185c4e1ffe6d4d9
SHA25675c025f8dca0de862155d68f097ea42d46e48f74e46e4a3a4741abc1099a5932
SHA512957627de7ac173900bd065cbabbeebcfd1393652c7e053827c91c8ea87792f54d34c612cbf72901a8ccaef9a091d7dbc177f5c38f22f8aa98527a1e31f493a1d
-
Filesize
258B
MD597b6f3efa4d465155623ddc82fe05051
SHA1c25bd07bdc16e0655b2c6c798e293d088f4146cf
SHA2567fc451705fb87f6476acce99291eda6fc1633d47da21a3cfd892f93a4974e423
SHA512ad33ebd365767ebf1739dda71cf327e2bf5af3b838000a19437ea8da065837071e8788caf32984a26aa0886e0d17e1e8f444224dcd39fd0fc47d38527e6a77e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD54c5e7cf12e481ce652a342c323a6bedf
SHA138e7d8773f3c3b4f816e7b6b6ad7cdfdac9749b0
SHA256533831fa69bb0341f3fa991e8a205cb0d97b006b58fc507887977c3c27b2db12
SHA512a4ee4865d6e0af2eb5739bc095295f0fd5b170a788f49988a745b6660c024a695cd61e842b1c61c25e3aaa45f1e83f4e192e309b708b0a6f7fa81a43d9581a8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5e92fcd6b2291878f2111532d799a49c6
SHA1c0a606a90e72136b807eedd8a0287cf175b75686
SHA2566dd3056b8659e65841a493372ce54f2e71b0941a6678915e88006a2f62547db8
SHA51211e279d3b5b1cd44604e09fd98eec96c672df1bfaecb06873e00c9718a4b9fa73d68062d6846b5734a982ce3d69799c9cc39666f96169e83fff58d9efe528d56
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5ae82909a2a2bd36e727065e155cfba70
SHA1d7e04d49bceb3ff2623a5db718989ebaeacfd897
SHA256f9be1492114e0bc98bd2b67875e3185e994f2dedcd539ed4b04ef7d64cc42c55
SHA5124887c7fcb74108542e067a15653237a16645c0a9596664f9e3b7d5b35fa1d77800f1fa9d78fa17049753aaa679cc35a4cd0b5cbb7f9bcc12cd995e995954f05e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD58534f3de91e60408a4367fa8944f647a
SHA19a8cff5623dd3dd222034f6d5cc380d3b0bcf751
SHA2560ea6a0509b044c16527f99567d576d64ad7e1040b864b1c1f329c83a032c98e3
SHA51214564196422651acd1de031d1db94b4de86582fc73134bea0f724ebae538b8d58f11319b9abb1647edee59ca87c500eef3ed485a8c7734c1c67a698cff42b65e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5896d5f161e646e58de83b5b358f27b2d
SHA1a2fcecc6b85404a41fae7dcbce941434f2760aa0
SHA2565fdf2d7423e8f1822eb71d52f3f83761453479855fe25a7bce1983ec8f110d6d
SHA512f93f14d472a7a90eaff4e5e8f418ba07393cf9c7e1761b3c948936bdcff5ccf7516da59ac265651ee20c05e5c9798fa5df91d6120c90ab45237eb9906aeaed64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD504488ce63b499fc2a226fab2e6be6d64
SHA1e7395d87072da5fb3144175000a74c4b3e9db53c
SHA256f30e9477e273cdefece66da605c4c95ed08abb8376c5864968f3e12f92a2a0a7
SHA5129cc6002f5cd5009bdcbf04e2ee5f9f4d0059eee62c92679abe1afe80e45b6e6d178888a80fb0c74c1d9cf67f136af1f7f81bb7bd443314de968c9b066c7eb3ee
-
Filesize
665B
MD5905c5ceea17b8f3f97bc83fdbe8b7e57
SHA12f6ff6a25565308421c26d70f7c0d357c361dca8
SHA25678f5473a83ebdcb0d383bbaa5301ad465dcb11cfac021fd81cc2cd8292df6c13
SHA51294d879c0b6bc812c917ae82240c27908d7df4ffb960f3547c801f80858db3a583fc2f8f5de8b859e9947860a378e8fd4ab7f5d6c619f7dfe6c83ad1aca0b0947
-
Filesize
5KB
MD57e66981a4824925957530453f623cc6a
SHA1f0cd6934fd904813cdd9a41713af06b4cd1ae522
SHA256fa617eb5c74a583e79da7f35002d36f5ca8664dd7e36a05402193f484d58aba6
SHA512e1d25be101514157b25f4e88c92e7b7b511647b46ec1586391196074c537acb7c032ddb847cdd9deb74ce6c9597c6fb55a20dfe4c3b5fbdfc28836225520444d
-
Filesize
6KB
MD57c4a004e5cdbb318fdde832d390fd3e5
SHA1e9524351a97594ba4d332e15b6126fac92a9c794
SHA2563ed45382f09032f30d07bba739fe3337c38d8e6421d86a74e501ec5721f704ac
SHA512f5c89f44e5511f496a22ae849f37dbac012a4d4c338113ec269bb2e2f402f055243a13aa4c7dc0c145aadf8d6b9530ba24f53f77f6c63d7bdca460d6f3d9e669
-
Filesize
7KB
MD52a92da554a4ae3f3be5957991d383a58
SHA1fc1200fb770737a8893d7270189799fa058b849e
SHA2562ac0e31f8925d4cefb26bc991c3bc1b30aac8974fe1eb40b2d385ab5893be180
SHA512bb8ab710f6b43f88d9e99e3724e44c6178203be44f0d9d21f04df6b2927b041761faa18d66f0b40fefd7ecb021c67b7c17d2a56deaa2c37dab3df6032a7757dd
-
Filesize
6KB
MD5ac6db5a9e86bdb0e749f6b40f6c96e50
SHA177c327ba9803d303fc0967ed9fcb823aef5f0e9b
SHA2561efde481efa6916686c34ee5b0fd161b284ba8a2510b15380d8472ca686874ea
SHA51235ca70884d0f52b016922dd8b335ab839ac052bdb167f1a3e52ca34ac88f7419c8d325c79c8914c6b2e3516af7c0717b47fa1404784cb639c2d7fba5a5b05a51
-
Filesize
7KB
MD51d2a48756f41914f4fa098759e6c165d
SHA1e8bf3f7811e5ba0ed3b165be56c7c3c91fdd43a3
SHA2560c33d8de9c7bd82ac34f0c835d43cb0d272204f18ed3927f8291d5d770ce4279
SHA5125d44d5ee1158ea87fe9c09b64ba04c368e45e26a3a2d007880eb7c362cc3ba052507697911c1a7738e8445cb11dc085533c3643390ef075f33e96e1739141c44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD509aa1e7b1b58ac35819c8c7f3db324d4
SHA171247c2ac781d53129554ce258715196128ee361
SHA2569944f3876ae0158ea6d4de26b6a91077bba3ea2a499e5229a5c66d6d5b484d53
SHA512bf080629b6bc8ec8877a0342bda27b408dc810ae7038e437c61c73544a82ed37eaea7804fe84df7346ebc98e44275abb12890dded1afcf48e94edc4857fa1b21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c488.TMP
Filesize48B
MD50548720c6d28530115c6bb8365d21c6f
SHA1333743d53bf99e0a04b2527b90955891db839788
SHA256aec04202b6127652f851ea0d712f6a323ce0f6be1044ff9e0dc2b230fc65c197
SHA512ca3ec3a643058c1b5ac2c768aa6696c856da730a8d599eca436d9cd1cff0b279cd20942766feb9501964273ae809bcc034ca04d59278ded853a66b90432f8470
-
Filesize
1KB
MD536722b593cbb96ee3534003bc48fc5bf
SHA15fd4a134edf904fb07a0d59a8ddb7a7298045a71
SHA2565ccb86327fff416688ee162ffc9fbee68975503fa08eb01862253382a30e407c
SHA5128ae41416a247c3bfec27f945d8ab2623e745b44eab0f3c3b44475aaf56517422716cd910f2dba9e7323c869a04ac531493e2ea4380820ea58ab59cc620dedb01
-
Filesize
1KB
MD5fe5a0fde7a13351454a22949af4a1104
SHA137c131795bfdd3332b35ce93941e83de9315053b
SHA2560d5caa008d93ce7cfb88a23ee3e42b1e7db165aa21ad030714b463449338bcd6
SHA512945d0a4638ee4022cb1b6d0cf5e8f5e0a7ec5f0cf53eb9d6fc210dde6e7b4545f198d0c20bf3a8da00bc1272e09de84dc0b657eb11d8fe96c9d0f2015e957049
-
Filesize
1KB
MD5810e1f1cbfe138f0e524fe5f08c5fcb7
SHA15af49fe41a1a487e33df291e28d6fa72e441342c
SHA2564f63db23801362c0a42a67aa26984d614d8ff97eefccc2145769b4a8c70a5ec2
SHA5121ff0d041725ce1777985d5ad89b6fd2829b03bd7e765d69e50a8d9efdfb16b04f5379f29914dff9af6b36ae0b8e31f9f6964eda4653af0158f49c323b64ab597
-
Filesize
1KB
MD5effce71bdc11d5018c6775d0d79f02f0
SHA180a2a8771b410e7d37667f42bce4c9efdcffc55d
SHA25621fe0686dedd42efa9c61104755e8cf7cb2f6e82aed7a9875bf3d31ad65dad3f
SHA5121965fbe2d39bbd2e56d9cf331e771990bda2617cffc7f920ea1bc11a213f0f37fd4e5feaa478ebcbb94e8706b229e70cb724f983e4caff8627a8e0f49c3e5419
-
Filesize
1KB
MD56178243f0ea0f1b1a46fad8ceb2643e2
SHA12429fb2ac5cf36ba0521256df3de41df0a51431f
SHA256f4ed9593895d41b9446443bfd3ecfb0ec341517a06c686930c29f954889985a1
SHA512fa4a75e975769c96de678804328645f132eb6a2adc75b0315728d1cc362f45e573b60a1234f922196b4104150faf4ee7178104a2ee1d3b401d2307bbd0521f03
-
Filesize
1KB
MD571acb197d5835e34ee9c7b95ae926de1
SHA17522f35f89a8b9cff7f89ddd599ef165fa198166
SHA256a7ce9ec8a7e55fe5c47e5d32fb884de3b0d2b925efaa2c9f29f6b1ac8abe0cf4
SHA512f1a6bac63bc24fea9718f4caf813b24c7c961c5eb62cf970859eb169b59c1a3f9b6ed680b0133b7b499bf8c39f9da3bc99485e70e0eec8def1de412ba2cdefd3
-
Filesize
1KB
MD556abef6411105be254eda3eeaee5e75c
SHA10a5a21f66da3d18600fbdd4889b6e6b32d867534
SHA25696dc512a6377d7d3a71c448de98dae167ecb67cc6d9a52f013575069565c62b9
SHA512e771bf39e27cf15ba934eb3cb38eb167bfcdb86e9af620643fb4152c665bb2bb4f0bb782b204a2f83135f12b345304812a44aaee822b437dd9cbee404127cdc0
-
Filesize
1KB
MD5a335cc54c661d75d4d74596bbca7c2f4
SHA140ea0820162885f88d127966170e3ab7195224ba
SHA256f3c053f20413e6be635a97abfa1eae4e64b568afbf6a869329bf863e116f1ade
SHA51279650e0d8c4ef21d92ff05e5eb248a7498356cadd81d51f613878150312a0e7d99fd47e8dadff563bd19723b0c5fb40c3a6ae7bedb274daa142dd7797384faa4
-
Filesize
1KB
MD5db3f3d8546f1d2bb88d3870abaf2dde8
SHA1b2f74ddee48fb1c951bdeead0dcb46dcb290c243
SHA256cab64133b3b8536e58737d595de3dee2998f8fcb1ec259f0076245c1c1db3472
SHA5124c175b4dae7ff62778167065111256c5781d615a035d372cfd737dbeafbc6c0fceef1c12b07e6250a4ac676242f8b5eae880fd480d5e946632a5ec84d88dc1c1
-
Filesize
1KB
MD5b4ec6d4b5549484833cb93a5416ac03e
SHA10250b6dc1019fea4c013c3ac9abe86de67daefb9
SHA2569b9759fb348b6a39e35a00b7b354aabde10bf59dcdf21e4e6c9692f5b4479f86
SHA5129e093e8fda27ec600a3633f37ff6973e4067193d4eec84659c6a311a646ca99a97f8fe5c54b691d0a56c57da807af27ca430e5389890009bdfb989c2a6176f0c
-
Filesize
1KB
MD57d1f153185d6eaa63f874b311abbdbdc
SHA1f47b8be042183a6e9d44357d1de523040d8b1be7
SHA256c967fe56327d44c6ded6a2f09ccc0e8be1912efefef135fb4f975dcd922562dd
SHA512193bc03220f38e5bd50a006481c18fb2629d6124357c0b728dfcacda289be0a0f8aa97457de57b03b7459c437c106cdfd2fe36a682bfcfdfc87ed7c8c1a44f24
-
Filesize
203B
MD5febd5b3eacac56e7a116881cbf2caf96
SHA123362ca934a2b8f790db2eec17c29796a900a653
SHA25640a5f66601368d366f0b5ee83af15ba53f4ad5071efa75951c2d5ca8131af60e
SHA51229e61420b94ffb837c6226152b3295df7f5eca3dd9b29c618d58dc0ba6fcd15b2621b82b403b36f12c325df4a71675a31509bdf7249a810d47d348797418e7ba
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51cb4569c4376f37e01c6ad610d16102f
SHA1f5dc07787f9fe3234a2c2882d0a74e7b43e3bb57
SHA256fceb35194728eb14d9443b35a3b03336592f26bc549c416c13cc32386ae08665
SHA51226c98c0f01d7c189b044ff70cc9bac25fdb6d0568a18f905b617fcee78490d6a9379e1b764ebc1d29cf9b8ced6d763ad0192fc7a49cb7d20edd8e5b93d8df4df
-
Filesize
11KB
MD539fa236f55e696ffd6d9010f231168db
SHA12abd537c4cc8e08f38fe104c67fc8283a177abe4
SHA256022b99c78afed70109c299f00cb259e3f3284f1ee43625aadcb55ec1a51e34bc
SHA51203193d628ca0c9db0cf7c031f7ebc0559f7dcd2b56354c49e23a42455682c5973b4eecd6ba159aaf3bbea68b9e951ce6a9786f333d8d7f7f62f19551ce56e81d
-
Filesize
10KB
MD5b79f32a4fc3e0af3426e7be6dc1015b4
SHA1f65b81855f0ffc07b49af747610b1b833b8c6e58
SHA256ebbdc83093baa813e6dfd2ab107320a41189eefc778fa923e17f00dfbcca0521
SHA512dcf5f08d8c20cb3b37d7bb6e960128ab49e4f9c0fa5488ed6776fcb3954504054e0a35d5cb3fa30c8c4cfce6a122cb8bc741470960b76b79d0a0e58fe22428ea
-
Filesize
15KB
MD5cd131d41791a543cc6f6ed1ea5bd257c
SHA1f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.425_(arm64)_20240903224219_000_dotnet_runtime_6.0.33_win_arm64.msi.log
Filesize4KB
MD5897a4a108bc95812ee2e644c6639a69b
SHA195eaf4f8d91e9d77bb8459d17970a7c012d1e183
SHA256abbd7e31a38afb3d1fce6b3dc123053c343f1c4e3e56065389f6f9f66ca77a3c
SHA5123d6c797f6a843e7752f078218b54f0013bc897713244c8de74d8cd0090a023917bb66de68728e4dd1c00e97ff8e6a12808295868f460a83d2fc98ceeab2f9661
-
Filesize
1KB
MD5accff13a1f0ed92775904eb60df7eff3
SHA1aa8085c278f200165f19230f282b5d6243f794e3
SHA256b8f184c357b72a2f9f15d6fce521b1e2756bd3abc95df1d738289f636454b39e
SHA512bd41bddc6fd61ef3480438f19fc38b21341b03ad2629a3091e51f8fc05f4cae7440089473f486e3723835a878a9150e153963456ddcfe800441b5a384e16be1f
-
Filesize
5.0MB
MD581412f7f844b75a6c65ed71eac0b9e61
SHA139b14eb48e13daaf94023482666fc9e13118ba72
SHA256e37ca7753860c60248b70828432c8e018a3788479808fdfdbc4d3b369b381019
SHA51263f2f6af6974091fb8de9dae945b392bb5f68abe66f7d9e3906089bb31f8e7ae2be03fcce44288514678b2b79eb309667b4607e9132183d1bb9a631ad65a983a
-
Filesize
114KB
MD5242b4242b3c1119f1fb55afbbdd24105
SHA1e1d9c1ed860b67b926fe18206038cd10f77b9c55
SHA2562d0e57c642cc32f10e77a73015075c2d03276dd58689944b01139b2bde8a62a1
SHA5127d1e08dc0cf5e241bcfe3be058a7879b530646726c018bc51cc4821a7a41121bcda6fbfdeeca563e3b6b5e7035bdd717781169c3fdbd2c74933390aa9450c684
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
124KB
MD5cf96419a6949b9467fd8e478952c4a6d
SHA1f6aac6afcfd7dc01684eea57fb28a635a7dc31bf
SHA2567f29e502d7bfdec2591ac740671124723fa05e3ec303acf969d589ca33e09f61
SHA5121a39ded9f40583632847ba2d2197a64949768565f6deafb96c8d6d7a760424236b13b18c028889c72c751cba20bfb9d39cfd0daf7296d6d8e4373429e8b29702
-
Filesize
2.8MB
MD5c956487c81dc16555e9232408efbe44d
SHA19272088c2dc913b3c6e779a091755b07e7fa3050
SHA25649d8c623abc37dff7af7d7ea15fa66b27504f166b5bf7a2d486c41ce7923a722
SHA5121d1f77372991544e502bf6076a2e5c9cea0d80e2afc00a0f4efe97ebf9b74bb18e1b52b3ec02dd3de441fe3114dd3aa15f21fc421ddf93204571acd7b56af64c
-
Filesize
635KB
MD5ada5fd5b932ac04dfef399f63a32082d
SHA16730ddd30d6ddf2b17c86d371e2f86e4b21b25ff
SHA256f61d9eb25290d431e4bd59da5efa8d981e40c31eb95adbc9a076ec4d6e1c2db8
SHA512c914d40528106684bd1a769bfe8d57042777b4c588c00227d53130cd8a909f34822427d9c8bda75f7ad945dcd449878ed64b150370216e4a71d7d8f56e4a0b7a
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
215KB
MD5f68f43f809840328f4e993a54b0d5e62
SHA101da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1
-
Filesize
146KB
MD500ded1882a14662490e1123c57b95f4f
SHA12e54ad9114cd35a491670887ce2c4dc26f3122ee
SHA256893db537083ed60910f8ec73f1db560a2efd8c2b2d51a682ee14ba43647f844f
SHA512b12795dceb10adb23c595b9ec132817dcac8d43f2e983f0261cd74e4dcac6619f8492a11a13704612fe091abe19f576ac399b23a9eb4dc602f75fbe0c387d582
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\Microsoft.NET.Sdk.Android.Manifest_6.0.300.32.0.301_arm64.msi
Filesize436KB
MD556a6705aa853e942224e37c6edc18f48
SHA11e1155c9665a60b167585781bbb03acacfda4e34
SHA2564614f4b6effa39c9e452098a74682c0928db6fdd40b6916afdf4b6c3fd2ec24a
SHA5123f0306375c98ea2e50e41a73bce82423c5f881bec32bc15c14a0a4b55c77fe4e23723eeec4c06dc0a6456a720447a78fd9e4109f40ff5a48ecf4c9266b563b3d
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\Microsoft.NET.Sdk.MacCatalyst.Manifest_6.0.300.15.4.303_arm64.msi
Filesize436KB
MD5568e0761c085df3c10090f022a8e1f29
SHA1d8a618cba3d489212dbdfed9a68b27c902611100
SHA256a999e6ce79d8cb00466902b6685a2e6adcbea55bb3e61203628f7426e69dcdba
SHA5124a84a4906c610b774ed0dbdfe288a0a434d01b44f0da79d01d3bafacdf4fcc333d4484d2bcdd9ade2dbd16ad0be11cced00bb56e9c4682d648b0d23701ecc24d
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\Microsoft.NET.Sdk.Maui.Manifest_6.0.300.6.0.312_arm64.msi
Filesize436KB
MD594547450cdf156d323376f96ead7c284
SHA1cb4773cf251464afb64e065c8eec819772c7161d
SHA25627004303e814db62254a3681bd0728517f658bcd656c5a9cb34b5b5befae347b
SHA512ee23b9ac1da577706da3d224f7f15d8597d09e295d89fdbd16dd0b15acb50f0b4820f1f493f81586ecf03eff762c82790fcd782d80b99f3621cac6b7b1cf1016
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\Microsoft.NET.Sdk.iOS.Manifest_6.0.300.15.4.303_arm64.msi
Filesize436KB
MD51fc4bf73f417ff6edf1760c17bd4ad25
SHA115d95d391de8b4a61e1f00f00f93225b37c9a9b7
SHA2565b39337cddfaf55c4dae4e3d846432ac35984a66a625e403051e243b55c342ff
SHA512563258c906bad530deff9b6bd201364dc05988922d55161086d9e2d7e93ede2a4a2b5f3aad4aed00117faf9ba4d6c87fc8245731d0cfdbfed6ce99241a56b12f
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\Microsoft.NET.Sdk.macOS.Manifest_6.0.300.12.3.303_arm64.msi
Filesize436KB
MD5c933243bfb8b26d6ab10656baf39f36a
SHA1a5fefd10354096aac781e5ed58f5eeb75480e53b
SHA256b059fb445eb24cc25b032bcc4d2a05c4d6fff21c4468a8affd5b60e3fa03d0cc
SHA512199f276b00cf0696c49596e8b3221479bae3d209d68152d8a5a04b62696dd6390e3267dabaa09508c779463220c83c7047e4ec89ed59dc477dadc159f356b17d
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\Microsoft.NET.Sdk.tvOS.Manifest_6.0.300.15.4.303_arm64.msi
Filesize436KB
MD511f3bfa683cfaf9f00c21ddda81b8f00
SHA1932e4d6d70907fed57fb4d9a2597949923ebcc02
SHA256c057f2c9e31aec1f824928025d65c998bdb7703896357cc90f5f817637a02f71
SHA512ae8d702d9b140844297c5c58e8300fd1718bf055e8e7edf559a93c636ad1d088fbf00638b1a84bb435a4aba5a64750e317e36736a909acbda888a06c8591d877
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\Microsoft.NET.Workload.Emscripten.Manifest_6.0.300.6.0.33_arm64.msi
Filesize472KB
MD57af12886009b0616fcc537ab393c53c2
SHA1a845cc7fd264db958ec60c7e14c4069178473292
SHA256c84d8b51970c99d507a13658f326b7bf53f5866b13b691baea20f3bd686a355d
SHA51294240fbb1bec8f1d69c3b6a91a254c181d97ab0ea1e19e0f5f06d9995b4b130fc2685368a2cdc0e70ebd039544d22d2db37c76a3b219efa1d408ca2580c9542b
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\Microsoft.NET.Workload.Mono.ToolChain.Manifest_6.0.300.6.0.5_arm64.msi
Filesize440KB
MD56546311d47f08d30682fa4bb1d0674fe
SHA1e0bb750d17c66891a66e8e0812dfaa0617ed5486
SHA2563d93803a181901ff999e975cb34027e03b40771ce2102ff2ed09e96a2eeccfa1
SHA512bd61bd0d2430ba2b1862f4ea86f17b8ae500295db1033afedcacc734ab9d91f166a4007cb942c80a7e91707be7aafe30ab6fe7a1759887f4736001393e7b5c45
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\aspnetcore_targeting_pack_6.0.33_servicing.24379.5_win_arm64.msi
Filesize2.3MB
MD503d28a3a92829b08e7e5a77a868f9ef2
SHA161946e9b7dad7b244ff79a5f406b5297ed1455aa
SHA2567eca4da0630a922c01d6ea8ddd4323f6d33f822c55701f6eedd162f0a6c278a9
SHA5126f7556bc98e64c43b843543e4a6a36d744f012460f35fd3b24efbe5fc08e326ed78398a02ce4c1ed01b591c9845f9cd04a45f15bedeefd562700eeebc1399467
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\dotnet_60templates_6.0.425_servicing.24379.3_win_arm64.msi
Filesize3.1MB
MD5cfa38d271378d96db0840f0e6ad57cc2
SHA13e0337f9dec13ce7be71238cf9dd7a9d3bf8b709
SHA256bc59e15f804c9d1cdec261c7ee8f0b5f4086e6e95855fe7e0bd3dcdc53abcb6e
SHA512e647701e6ab935a236075e7e3af9d7e8ed4f9fb4692ccbed2682bc682148957198a6f98f631edcf64771a1740cb78368dc52924820ec06c34056326638e9afd4
-
Filesize
5.0MB
MD55fd8067f0212a4450304eb41ab2f3fa2
SHA11876a593c3ddb6b23c7da59b657648350f419338
SHA2568b3c546ad9614598aab87325001ee599fd054f403f034c08153c8f781440faeb
SHA512a614638107f41d1f25ad9c67a060c1810aed437e4068fc308c644aed010bbd03954b2c75457239b7e38b94bcae8949634480754303689759340dd99bbc465554
-
Filesize
804KB
MD56c2f47eb509f5d1118b96412883c803b
SHA19c9a73badc66633026736b791060734558166dd8
SHA2560172a9fa833a33bbb8dc63fd30c7e9711a14d7917ee6bf5f81c059b4841c9f60
SHA51281fff01caa4173875df8f02c5086dac0da18f231cc75559b69934d153a30c53141049678048b0b18b31f9f5abec856dd6b4b210431364a47263b948eaefed200
-
Filesize
872KB
MD5ab62e6b72cefc8e67bef9e066d1776a8
SHA1d73af88ac9b6850fb72e0041fc97445cc6ad63a2
SHA25640c30299ca019e077f8aa748c218a7f088569895d278c692d8e66de9fa9618c8
SHA5121fa2ceb842fa0cf47802a58aaf8f6c39071ad7e58dcfd2c7d5ac8480f16774382781690eeed43190b16f798e7ba0ba7448fade54a86c92b916985c09bf1fd2cf
-
Filesize
24.1MB
MD57d1bd9a4392518e5258853b7867b59a2
SHA1d579a8017ba95cfca032ada3e663a837052493e9
SHA256fc6959a24481fe5fb712beafb3c50c7530490a6e22429b9dc1521cab28762e72
SHA5125477ae6b368f9ffb676f2198022ef2d9af1133a79af1df1a6321d706224ac2eaefc15c521a380d51c7ddf8303f21feac19e87068680d512d3f7ed6ec5f7ef384
-
Filesize
3.5MB
MD5ab75b190d14e984ca4f7e0d899700275
SHA1a714e52cc86cfc58bd0fe8ae6bab6a872507868d
SHA256259ef747d48c355e0967d04819a5d299cea408577b439513334c00d74e1f0288
SHA5125d11045a971d160b11bb58607f4fd021cb09057b2e0118c4372545ab5326e484fc03f1039c03dda0508a716d4bad7dc4c90127778cefe395114ca29e96a82517
-
Filesize
25.0MB
MD5cdcce79bae2acb1efad6390ecb91031b
SHA13f33b3518b439c8a4ea73a214d7470c31bd8a1f1
SHA2565f220996920b5665b9ab19c22ca2054254c09be5593d44a67f0cafd4c1e58317
SHA5127af87303312a1cabd8870e3e1b63559a717db7c0a62cf0b5f60103b7042e74cdfbd8ec3080e57b61bc91f0c64254d0bb7b46cf6eecd45531a8becff9765ea06a
-
C:\Windows\Temp\{E08701BC-CBB6-48A2-A2A0-4E83D68ACD08}\windowsdesktop_targeting_pack_6.0.33_win_arm64.msi
Filesize3.2MB
MD565d402597e7f6368b36dc05ed8d014e4
SHA13e0f9c2d9dcccba9a87fdc7fb690776d00c5af29
SHA2566b16442af8df4470dd8ee1edd74994a8b395203f90c80f1dd1711ecb53c96c29
SHA5128f0485ff3dd117079bb71b6cd862193e1a357a52f2b9b9ebdfe279beab1fe938cb68aff1e7578e3d68b9c6b651c421bb5151f2ca36cfad754df71155540e1037
-
Filesize
119KB
MD5057ce4fb9c8e829af369afbc5c4dfd41
SHA1094f9d5f107939250f03253cf6bb3a93ae5b2a10
SHA25660dd7d10b3f88f1b17e39464bb2d7ca77c9267b846d90cf5728a518a117bd21b
SHA512cae4df73a5b28863c14a5207fbbe4e0630e71215aa1271fe61117523cc32b8b82cd1ba63f698907fbfeb36d4007bb0f463828025957505cfcbb200f4ed5d3a52
-
Filesize
893KB
MD5f9618535477ddfef9fe8b531a44be1a3
SHA1c137a4c7994032a6410ef0a7e6f0f3c5acb68e03
SHA256236bf2b5cf6014b8ee22484afe172ace512cc99dba85080b082d47e9e189ea5c
SHA512b85ae1a9cc334e9352c51aa94b2c74c6c067957e0e6021f7309a1c194fc64c0c50bb5efeaef7030e8689d75a22798f74cf719366a2fdcce26e23692510bfe064
-
Filesize
223KB
MD50c0e41efeec8e4e78b43d7812857269a
SHA1846033946013f959e29cd27ff3f0eaa17cb9e33f
SHA256048d51885874d62952e150d69489bcfb643a5131ce8b70a49f10dfb34832702c
SHA512e11da01852a92833c1632e121a2f2b6588b58f4f2166339a28dd02dad6af231a2260a7e5fc92e415d05aa65b71e8bbda065e82a2db49bb94b6cf2fe82b646c28